Attacker Value
Unknown
CVE-2018-1000613
CVE-2018-1000613
(Last updated November 08, 2023) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Description
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
Add Assessment
No one has assessed this topic. Be the first to add your voice to the community.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High
General Information
Vendors
Products
- api gateway 11.1.2.4.0,
- banking platform 2.6.0,
- banking platform 2.6.1,
- banking platform 2.6.2,
- business process management suite 11.1.1.9.0,
- business process management suite 12.1.3.0.0,
- business process management suite 12.2.1.3.0,
- business transaction management 12.1.0,
- communications application session controller 3.7.1,
- communications application session controller 3.8.0,
- communications converged application server,
- communications converged application server 7.0.0.1,
- communications convergence 3.0.2,
- communications diameter signaling router 8.0.0,
- communications diameter signaling router 8.1,
- communications diameter signaling router 8.2,
- communications diameter signaling router 8.2.1,
- communications webrtc session controller,
- communications webrtc session controller 7.2,
- data integrator 12.2.1.3.0,
- enterprise manager base platform 12.1.0.5.0,
- enterprise manager base platform 13.2.0.0,
- enterprise manager base platform 13.3.0.0,
- enterprise manager for fusion middleware 13.2.0.0,
- enterprise manager for fusion middleware 13.3.0.0,
- enterprise repository 11.1.1.7.0,
- enterprise repository 12.1.3.0.0,
- leap 15.1,
- legion-of-the-bouncy-castle-java-crytography-api,
- managed file transfer 12.1.3.0.0,
- managed file transfer 12.2.1.3.0,
- oncommand workflow automation -,
- peoplesoft enterprise peopletools 8.55,
- peoplesoft enterprise peopletools 8.56,
- peoplesoft enterprise peopletools 8.57,
- retail convenience and fuel pos software 2.8.1,
- retail xstore point of service 7.0,
- retail xstore point of service 7.1,
- soa suite 12.1.3.0.0,
- soa suite 12.2.1.3.0,
- utilities network management system 1.12.0.3,
- utilities network management system 2.3.0.0,
- utilities network management system 2.3.0.1,
- utilities network management system 2.3.0.2,
- webcenter portal 11.1.1.9.0,
- webcenter portal 12.2.1.3.0,
- weblogic server 12.2.1.3
References
Advisory
Miscellaneous
