CVE-2020-15522

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:bouncycastle:bc-csharp:*:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:bouncy_castle_fips_.net_api:*:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-fips-java-api:*:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-fips-java-api:*:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:*:*:*:*:*:*:*:*

History

22 Jun 2021, 09:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210622-0007/ -

27 May 2021, 15:01

Type Values Removed Values Added
CPE cpe:2.3:a:bouncycastle:the_bouncy_castle_crypto_package_for_java:*:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-fips-java-api:*:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:bc-csharp:*:*:*:*:*:*:*:*
cpe:2.3:a:bouncycastle:bouncy_castle_fips_.net_api:*:*:*:*:*:*:*:*
CWE CWE-362
CVSS v2 : unknown
v3 : unknown
v2 : 4.3
v3 : 5.9
References (MISC) https://github.com/bcgit/bc-java/wiki/CVE-2020-15522 - (MISC) https://github.com/bcgit/bc-java/wiki/CVE-2020-15522 - Third Party Advisory
References (MISC) https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522 - (MISC) https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522 - Third Party Advisory
References (MISC) https://www.bouncycastle.org/releasenotes.html - (MISC) https://www.bouncycastle.org/releasenotes.html - Release Notes, Vendor Advisory

20 May 2021, 12:15

Type Values Removed Values Added
New CVE

Information

Published : 2021-05-20 12:15

Updated : 2023-12-10 13:55


NVD link : CVE-2020-15522

Mitre link : CVE-2020-15522

CVE.ORG link : CVE-2020-15522


JSON object : View

Products Affected

bouncycastle

  • bc-csharp
  • bouncy_castle_fips_.net_api
  • the_bouncy_castle_crypto_package_for_java
  • legion-of-the-bouncy-castle-fips-java-api
CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')