5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-33201

GHSA ID

GHSA-hr8g-6v94-x4m9

EPSS Score

0.51177%

CWE

CWE-295

Published

7/5/2023

Updated

11/4/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-33201

CVE-2023-33201: Bouncy Castle For Java LDAP injection vulnerability

Bouncy Castle provides the X509LDAPCertStoreSpi.java class which can be used in conjunction with the CertPath API for validating certificate paths. Pre-1.73 the implementation did not check the X.500 name of any certificate, subject, or issuer being passed in for LDAP wild cards, meaning the presence of a wild car may lead to Information Disclosure.

A potential attack would be to generate a self-signed certificate with a subject name that contains special characters, e.g: CN=Subject*)(objectclass=. This will be included into the filter and provides the attacker ability to specify additional attributes in the search query. This can be exploited as a blind LDAP injection: an attacker can enumerate valid attribute values using the boolean blind injection technique. The exploitation depends on the structure of the target LDAP directory, as well as what kind of errors are exposed to the user.

Changes to the X509LDAPCertStoreSpi.java class add the additional checking of any X.500 name used to correctly escape wild card characters.

(GitHub Advisory)

5.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-33201

GHSA ID

GHSA-hr8g-6v94-x4m9

EPSS Score

0.51177%

CWE

CWE-295

Published

7/5/2023

Updated

11/4/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.bouncycastle:bcprov-jdk18on	maven	< 1.74	1.74
org.bouncycastle:bcprov-jdk15to18	maven	< 1.74	1.74
org.bouncycastle:bcprov-ext-jdk15to18	maven	< 1.74	1.74
org.bouncycastle:bcprov-ext-jdk18on	maven	< 1.74	1.74
org.bouncycastle:bcprov-debug-jdk15to18	maven	< 1.74	1.74
org.bouncycastle:bcprov-debug-jdk18on	maven	< 1.74	1.74
org.bouncycastle:bcprov-jdk14	maven	>= 1.49, < 1.74	1.74
org.bouncycastle:bcprov-ext-jdk14	maven	>= 1.49, < 1.74	1.74
org.bouncycastle:bcprov-debug-jdk14	maven	>= 1.49, < 1.74	1.74
org.bouncycastle:bcprov-jdk15on	maven	>= 1.49, <= 1.70
org.bouncycastle:bcprov-ext-jdk15on	maven	>= 1.49, <= 1.70
org.bouncycastle:bcprov-debug-jdk15on	maven	>= 1.49, <= 1.70

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper LDAP filter construction in the search method. The pre-patch code used 'attributeName + "=" + attributeValue' without escaping, making it susceptible to injection. The commit e8c409a added filterEncode() to sanitize inputs, confirming the vulnerability was in the original filter assembly logic. The search method is the primary point where untrusted certificate data was incorporated into LDAP queries without validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*oun*y **stl* provi**s t** `X***L**P**rtStor*Spi.j*v*` *l*ss w*i** **n ** us** in *onjun*tion wit* t** **rtP*t* *PI *or v*li**tin* **rti*i**t* p*t*s. Pr*-*.** t** impl*m*nt*tion *i* not ****k t** X.*** n*m* o* *ny **rti*i**t*, su*j**t, or issu*r **in

Reasoning

T** vuln*r**ility st*mm** *rom improp*r L**P *ilt*r *onstru*tion in t** s**r** m*t*o*. T** pr*-p*t** *o** us** '*ttri*ut*N*m* + "=" + *ttri*ut*V*lu*' wit*out *s**pin*, m*kin* it sus**pti*l* to inj**tion. T** *ommit ******* ***** `*ilt*r*n*o**()` to s

5.3

Basic Information

Concerned about an active attack path?

CVE-2023-33201: Bouncy Castle For Java LDAP injection vulnerability

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI