CVE-2024-34447

{"id": "CVE-2024-34447", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-05-03T16:15:11.460", "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447", "source": "cve@mitre.org"}, {"url": "https://security.netapp.com/advisory/ntap-20240614-0007/", "source": "cve@mitre.org"}, {"url": "https://www.bouncycastle.org/latest_releases.html", "source": "cve@mitre.org"}, {"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902024%E2%80%9034447", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20240614-0007/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.bouncycastle.org/latest_releases.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-297"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Bouncy Castle Java Cryptography APIs before BC 1.78. When endpoint identification is enabled in the BCJSSE and an SSL socket is created without an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address in some situations, opening up a possibility of DNS poisoning."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en las API de criptograf\u00eda Java de Bouncy Castle antes de BC 1.78. Cuando la identificaci\u00f3n de endpoint est\u00e1 habilitada en BCJSSE y se crea un socket SSL sin un nombre de host expl\u00edcito (como sucede con HttpsURLConnection), la verificaci\u00f3n del nombre de host podr\u00eda realizarse contra una direcci\u00f3n IP resuelta por DNS en algunas situaciones, lo que abre una posibilidad de envenenamiento de DNS."}], "lastModified": "2025-03-20T20:15:32.217", "sourceIdentifier": "cve@mitre.org"}