CVE-2020-15522
Last modified
CVE-2020-15522 is a medium-severity vulnerability rated 5.9/10 on the CVSS scale. Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.. EPSS estimates a 1.52% chance of exploitation in the next 30 days.
Description
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Bouncycastle | Bc-Csharp | < 1.8.7 |
| Bouncycastle | Bouncy Castle Fips .Net Api | < 1.0.1.1 |
| Bouncycastle | Fips Java Api | < 1.0.1.2 |
| Bouncycastle | Fips Java Api | >= 1.0.2, < 1.0.2.1 |
| Bouncycastle | The Bouncy Castle Crypto Package For Java | < 1.66 |
References
- https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522Third Party Advisory
- https://github.com/bcgit/bc-java/wiki/CVE-2020-15522Third Party Advisory
- https://www.bouncycastle.org/releasenotes.htmlRelease Notes, Vendor Advisory
- https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522Third Party Advisory
- https://github.com/bcgit/bc-java/wiki/CVE-2020-15522Third Party Advisory
- https://www.bouncycastle.org/releasenotes.htmlRelease Notes, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-15522?
How severe is CVE-2020-15522?
How do I fix CVE-2020-15522?
Are you affected by CVE-2020-15522?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST