What is CVE-2023-33201?

CVE-2023-33201 is an LDAP injection vulnerability in Bouncy Castle for Java before version 1.74.

How does the LDAP injection vulnerability in Bouncy Castle affect me?

The LDAP injection vulnerability in Bouncy Castle allows an attacker to inject malicious LDAP statements, potentially leading to unauthorized access or data leakage.

What is the severity of CVE-2023-33201?

CVE-2023-33201 has a severity rating of 7.1 (high).

How do I fix the LDAP injection vulnerability in Bouncy Castle?

To fix the LDAP injection vulnerability, update Bouncy Castle for Java to version 1.74 or later.

Where can I find more information about CVE-2023-33201?

You can find more information about CVE-2023-33201 on the Bouncy Castle website and the official GitHub page for BC-Java.

Vulnerability/
CVE-2023-33201

high

7.1

CWE

295

16/6/2023

5/7/2023

30/5/2024

CVE-2023-33201

First published: Fri Jun 16 2023(Updated: )

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

Credit: cve@mitre.org cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
maven/org.bouncycastle:bcprov-debug-jdk15on	>=1.49<=1.70
maven/org.bouncycastle:bcprov-ext-jdk15on	>=1.49<=1.70
maven/org.bouncycastle:bcprov-jdk15on	>=1.49<=1.70
maven/org.bouncycastle:bcprov-debug-jdk14	>=1.49<1.74	1.74
maven/org.bouncycastle:bcprov-ext-jdk14	>=1.49<1.74	1.74
maven/org.bouncycastle:bcprov-jdk14	>=1.49<1.74	1.74
maven/org.bouncycastle:bcprov-debug-jdk18on	<1.74	1.74
maven/org.bouncycastle:bcprov-debug-jdk15to18	<1.74	1.74
maven/org.bouncycastle:bcprov-ext-jdk18on	<1.74	1.74
maven/org.bouncycastle:bcprov-ext-jdk15to18	<1.74	1.74
maven/org.bouncycastle:bcprov-jdk15to18	<1.74	1.74
maven/org.bouncycastle:bcprov-jdk18on	<1.74	1.74
Bouncycastle Bc-java	<1.74
redhat/BouncyCastle	<1.74	1.74
IBM Security Verify Privilege On-Premises	<=All

Remedy

https://github.com/bcgit/bc-java/commit/e8c409a8389c815ea3fda5e8b94c92fdfe583bcc

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7047202

Frequently Asked Questions

What is CVE-2023-33201?
CVE-2023-33201 is an LDAP injection vulnerability in Bouncy Castle for Java before version 1.74.
How does the LDAP injection vulnerability in Bouncy Castle affect me?
The LDAP injection vulnerability in Bouncy Castle allows an attacker to inject malicious LDAP statements, potentially leading to unauthorized access or data leakage.
What is the severity of CVE-2023-33201?
CVE-2023-33201 has a severity rating of 7.1 (high).
How do I fix the LDAP injection vulnerability in Bouncy Castle?
To fix the LDAP injection vulnerability, update Bouncy Castle for Java to version 1.74 or later.
Where can I find more information about CVE-2023-33201?
You can find more information about CVE-2023-33201 on the Bouncy Castle website and the official GitHub page for BC-Java.

collector/github-advisory-latest
alias/GHSA-hr8g-6v94-x4m9
alias/CVE-2023-33201
collector/github-advisory
collector/nvd-index
collector/nvd-cve
agent/type
agent/first-publish-date
agent/author
agent/severity
agent/remedy
agent/weakness
agent/event
agent/description
collector/nvd-api
agent/software-canonical-lookup-request
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
agent/last-modified-date
agent/references
agent/softwarecombine
agent/tags
collector/ibm-support
source/IBM
package-manager/maven
vendor/bouncycastle
canonical/bouncycastle bc-java
package-manager/redhat
vendor/ibm
canonical/ibm security verify privilege on-premises
version/ibm security verify privilege on-premises/all