nvd-json-data-feeds/CVE-2017/CVE-2017-130xx/CVE-2017-13098.json

{
  "id": "CVE-2017-13098",
  "sourceIdentifier": "cret@cert.org",
  "published": "2017-12-13T01:29:00.280",
  "lastModified": "2020-10-20T22:15:20.170",
  "vulnStatus": "Modified",
  "descriptions": [
    {
      "lang": "en",
      "value": "BouncyCastle TLS prior to version 1.0.3, when configured to use the JCE (Java Cryptography Extension) for cryptographic functions, provides a weak Bleichenbacher oracle when any TLS cipher suite using RSA key exchange is negotiated. An attacker can recover the private key from a vulnerable application. This vulnerability is referred to as \"ROBOT.\""
    },
    {
      "lang": "es",
      "value": "BouncyCastle TLS, en versiones anteriores a la 1.0.3 cuando est\u00e1 configurado para utilizar la JCE (Java Cryptography Extension) para funciones criptogr\u00e1ficas, proporciona un or\u00e1culo de Bleichenbacher d\u00e9bil cuando se negocia una suite de cifrado TLS que utiliza un intercambio de claves RSA. Un atacante puede recuperar la clave privada desde una aplicaci\u00f3n vulnerable. Esta vulnerabilidad es conocida como \"ROBOT\"."
    }
  ],
  "metrics": {
    "cvssMetricV30": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "HIGH",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6
      },
      {
        "source": "cret@cert.org",
        "type": "Secondary",
        "cvssData": {
          "version": "3.0",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6
      }
    ],
    "cvssMetricV2": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "2.0",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "accessVector": "NETWORK",
          "accessComplexity": "MEDIUM",
          "authentication": "NONE",
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3
        },
        "baseSeverity": "MEDIUM",
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "acInsufInfo": false,
        "obtainAllPrivilege": false,
        "obtainUserPrivilege": false,
        "obtainOtherPrivilege": false,
        "userInteractionRequired": false
      }
    ]
  },
  "weaknesses": [
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-203"
        }
      ]
    },
    {
      "source": "cret@cert.org",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-203"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:*:*:*:*:*:*:*:*",
              "versionEndExcluding": "1.59",
              "matchCriteriaId": "9B5E0326-248A-4558-B1CC-CB28FE80DCE6"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html",
      "source": "cret@cert.org"
    },
    {
      "url": "http://www.kb.cert.org/vuls/id/144389",
      "source": "cret@cert.org",
      "tags": [
        "Issue Tracking",
        "Mitigation",
        "Third Party Advisory",
        "US Government Resource"
      ]
    },
    {
      "url": "http://www.securityfocus.com/bid/102195",
      "source": "cret@cert.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ]
    },
    {
      "url": "https://github.com/bcgit/bc-java/commit/a00b684465b38d722ca9a3543b8af8568e6bad5c",
      "source": "cret@cert.org",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://robotattack.org/",
      "source": "cret@cert.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://security.netapp.com/advisory/ntap-20171222-0001/",
      "source": "cret@cert.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://www.debian.org/security/2017/dsa-4072",
      "source": "cret@cert.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ]
    },
    {
      "url": "https://www.oracle.com/security-alerts/cpuoct2020.html",
      "source": "cret@cert.org"
    }
  ]
}