CVE-2018-1000613 — Vulnetix

CVE-2018-1000613 PUBLISHED

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

EPSS 5.04% · 89.7th percentile

Risk Scores

EPSS Score

5.04%

89.7th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:18.04:LTS	bouncycastle	0, 1.57-1, 1.58-1

Timeline

Jul 9, 2018 CVE Published
Apr 14, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Jun 29, 2022 EPSS Score
Nov 1, 2022 EPSS Score
Mar 5, 2023 EPSS Score
Mar 7, 2023 EPSS Score
Jul 7, 2023 EPSS Score
Nov 7, 2023 EPSS Score

References

https://ubuntu.com/security/CVE-2018-1000613 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2018-1000613 third-party-advisory

Open in Interactive Console →