Strix
26.1K

CVE-2013-1624

UnknownEPSS 2.97%

Last modified

CVE-2013-1624 is a vulnerability of currently unknown severity. The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.. EPSS estimates a 2.97% chance of exploitation in the next 30 days.

Description

The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Metrics

EPSS Probability
2.97%

85.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
BouncycastleBc-Java1.01
BouncycastleBc-Java1.02
BouncycastleBc-Java1.03
BouncycastleBc-Java1.04
BouncycastleBc-Java1.05
BouncycastleBc-Java1.06
BouncycastleBc-Java1.07
BouncycastleBc-Java1.08
BouncycastleBc-Java1.09
BouncycastleBc-Java1.10
BouncycastleBc-Java1.11
BouncycastleBc-Java1.12
BouncycastleBc-Java1.13
BouncycastleBc-Java1.14
BouncycastleBc-Java1.15
BouncycastleBc-Java1.16
BouncycastleBc-Java1.17
BouncycastleBc-Java1.18
BouncycastleBc-Java1.19
BouncycastleBc-Java1.20
BouncycastleBc-Java1.21
BouncycastleBc-Java1.22
BouncycastleBc-Java1.23
BouncycastleBc-Java1.24
BouncycastleBc-Java1.25
BouncycastleBc-Java1.26
BouncycastleBc-Java1.27
BouncycastleBc-Java1.28
BouncycastleBc-Java1.29
BouncycastleBc-Java1.30
BouncycastleBc-Java1.31
BouncycastleBc-Java1.32
BouncycastleBc-Java1.33
BouncycastleBc-Java1.34
BouncycastleBc-Java1.35
BouncycastleBc-Java1.36
BouncycastleBc-Java1.37
BouncycastleBc-Java1.38
BouncycastleBc-Java1.39
BouncycastleBc-Java1.40
BouncycastleBc-Java1.41
BouncycastleBc-Java1.42
BouncycastleBc-Java1.43
BouncycastleBc-Java1.44
BouncycastleBc-Java1.45
BouncycastleBc-Java1.46
BouncycastleBc-Java1.47
BouncycastleLegion-Of-The-Bouncy-Castle-C\#-Cryptography-Api0.0
BouncycastleLegion-Of-The-Bouncy-Castle-C\#-Cryptography-Api1.0
BouncycastleLegion-Of-The-Bouncy-Castle-C\#-Cryptography-Api1.1

Showing 50 of 56 affected configurations. See NVD for the full list.

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2013-1624?
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
How severe is CVE-2013-1624?
Severity scoring for CVE-2013-1624 is pending analysis. The EPSS model estimates a 2.97% probability of exploitation in the next 30 days.
How do I fix CVE-2013-1624?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2013-1624?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST