What is the vulnerability ID of this flaw in bouncycastle?

The vulnerability ID is CVE-2020-15522.

What is the severity rating of CVE-2020-15522?

The severity rating of CVE-2020-15522 is medium with a CVSS score of 5.9.

Which software versions are affected by CVE-2020-15522?

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1.

How can this vulnerability be fixed?

To fix CVE-2020-15522, update Bouncy Castle BC Java to version 1.66 or higher, BC C# .NET to version 1.8.7 or higher, BC-FJA to version 1.0.2.1 or higher, and BC-FNA to version 1.0.1.1 or higher.

Where can I find more information about CVE-2020-15522?

More information about CVE-2020-15522 can be found at the following references: [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-15522), [GitHub - bc-csharp](https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522), [GitHub - bc-java](https://github.com/bcgit/bc-java/wiki/CVE-2020-15522).

Vulnerability/
CVE-2020-15522

medium

5.9

CWE

203 362 367

20/5/2021

13/8/2021

21/11/2024

CVE-2020-15522: Race Condition

First published: Thu May 20 2021(Updated: )

A flaw was found in bouncycastle. A timing issue within the EC math library can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

Credit: cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
nuget/BouncyCastle	<1.8.7	1.8.7
maven/org.bouncycastle:bcprov-jdk16	<1.66	1.66
maven/org.bouncycastle:bcprov-jdk15to18	<1.66	1.66
maven/org.bouncycastle:bcprov-jdk15on	<1.66	1.66
maven/org.bouncycastle:bcprov-jdk14	<1.66	1.66
maven/org.bouncycastle:bcprov-ext-jdk16	<1.66	1.66
maven/org.bouncycastle:bcprov-ext-jdk15on	<1.66	1.66
maven/org.bouncycastle:bc-fips	<=1.0.2	1.0.2.1
redhat/bouncycastle	<1.66	1.66
Bouncy Castle	<1.8.7
Bouncy Castle	<1.0.1.1
Bouncy Castle Crypto Package	<1.0.1.2
Bouncy Castle Crypto Package	>=1.0.2<1.0.2.1
Bouncy Castle bc-java	<1.66

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the vulnerability ID of this flaw in bouncycastle?
The vulnerability ID is CVE-2020-15522.
What is the severity rating of CVE-2020-15522?
The severity rating of CVE-2020-15522 is medium with a CVSS score of 5.9.
Which software versions are affected by CVE-2020-15522?
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1.
How can this vulnerability be fixed?
To fix CVE-2020-15522, update Bouncy Castle BC Java to version 1.66 or higher, BC C# .NET to version 1.8.7 or higher, BC-FJA to version 1.0.2.1 or higher, and BC-FNA to version 1.0.1.1 or higher.
Where can I find more information about CVE-2020-15522?
More information about CVE-2020-15522 can be found at the following references: [NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2020-15522), [GitHub - bc-csharp](https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522), [GitHub - bc-java](https://github.com/bcgit/bc-java/wiki/CVE-2020-15522).

collector/github-advisory-latest
alias/GHSA-6xx3-rg99-gc3p
alias/CVE-2020-15522
collector/github-advisory
collector/redhat-cve
agent/author
agent/type
agent/first-publish-date
agent/references
agent/severity
agent/weakness
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/ibm-support
source/IBM
agent/description
collector/mitre-cve
source/MITRE
agent/event
agent/trending
agent/last-modified-date
agent/source
agent/softwarecombine
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
source/NVD
package-manager/nuget
package-manager/maven
package-manager/redhat
vendor/bouncycastle
canonical/bouncy castle
canonical/bouncy castle crypto package
version/bouncy castle crypto package/1.0.2
canonical/bouncy castle bc-java