Skip to main content
Components
Vulnerabilities
Pricing
MCP
API
Docs
Sign up
Login
Find vulnerabilities. Fix fast with AI.
Search components by package, version, or CVE to get started.
org.codehaus.sonar-plugins/sonar-pdfreport… | Sonatype Guide
Get full component data and automated fixes with Sonatype Guide.
Sign up for free
maven
org.codehaus.sonar-plugins
sonar-pdfreport-plugin
1.4
sonar-pdfreport-plugin 1.4
Latest
org.codehaus.sonar-plugins
Published
Feb 9, 2015
•
Policy
compliance
maven Registry
Developer Trust Score
Recommended Version:
x.y.z
Recommended upgrade that meets your policy.
Compare Versions
Overview
Overview
Versions
1
Versions
1
Vulnerabilities
20
Vulnerabilities
20
Dependencies
4
Dependencies
4
Severity
Critical
(0)
High
(6)
Medium
(12)
Low
(2)
CVSS Score
0.0
10.0
EPSS Score
0.0
1.0
Malware
KEV Status
Published
Filter
Sort: Published (Newest first)
7.7
sonatype-2024-0946
bouncycastle - Improper Validation of Certificate with Host Mismatch
affected
Severity
High
Published
Apr 10, 2024
5.9
CVE-2024-30171
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
affected
Severity
Medium
Published
Apr 10, 2024
7.5
CVE-2024-29857
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
affected
Severity
High
Published
Apr 10, 2024
5.3
CVE-2023-33201
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
affected
Severity
Medium
Published
Jun 19, 2023
5.3
CVE-2020-26939
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
affected
Severity
Medium
Published
Nov 3, 2020
3.7
sonatype-2019-0673
BouncyCastle - Denial of Service (DoS)
affected
Severity
Low
Published
Mar 9, 2020
4.8
sonatype-2010-0032
BouncyCastle - This version of the provider has been specifically reviewed to eliminate possible timing attacks on algorithms such as GCM and CCM mode.
affected
Severity
Medium
Published
Jul 17, 2018
5.6
sonatype-2009-0035
BouncyCastle - the key space the HC-128 and HC-256 ciphers were operating in was high and the byte swapping inverted every 32 bits of the generated stream
affected
Severity
Medium
Published
Jul 17, 2018
8.8
CVE-2017-9096
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
affected
Severity
High
Published
Jul 12, 2018
4.4
CVE-2018-5382
The default BKS keystore use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS keystore. Bouncy Castle release 1.47 changes the BKS format to a format which uses a 160 bit HMAC instead. This applies to any BKS keystore generated prior to BC 1.47. For situations where people need to create the files for legacy reasons a specific keystore type "BKS-V1" was introduced in 1.49. It should be noted that the use of "BKS-V1" is discouraged by the library authors and should only be used where it is otherwise safe to do so, as in where the use of a 16 bit checksum for the file integrity check is not going to cause a security issue in itself.
affected
Severity
Medium
Published
Apr 27, 2018
7.5
CVE-2016-1000343
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
affected
Severity
High
Published
Apr 6, 2017
5.9
CVE-2016-1000345
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
affected
Severity
Medium
Published
Apr 6, 2017
5.9
CVE-2016-1000341
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
affected
Severity
Medium
Published
Apr 6, 2017
7.5
CVE-2016-1000338
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
affected
Severity
High
Published
Apr 6, 2017
3.7
CVE-2016-1000346
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
affected
Severity
Low
Published
Apr 6, 2017
5.3
CVE-2016-1000339
In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
affected
Severity
Medium
Published
Apr 6, 2017
5.0
CVE-2015-7940
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
affected
Severity
Medium
Published
Mar 28, 2017
4.0
CVE-2013-1624
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
affected
Severity
Medium
Published
Mar 28, 2017
5.8
CVE-2012-5783
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
affected
Severity
Medium
Published
Mar 28, 2017
7.5
sonatype-2007-0004
sonatype-2007-0004 - Denial of Service (DoS)
affected
Severity
High
Published
Mar 28, 2017
