vulnerability
Red Hat JBoss EAP: CVE-2023-33201: Improper Certificate Validation
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 5 | (AV:N/AC:L/Au:N/C:P/I:N/A:N) | Jun 16, 2023 | Sep 19, 2024 | Mar 25, 2026 |
Severity
5
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
Published
Jun 16, 2023
Added
Sep 19, 2024
Modified
Mar 25, 2026
Description
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.. A flaw was found in Bouncy Castle 1.73. This issue targets the fix of LDAP wild cards. Before the fix there was no validation for the X.500 name of any certificate, subject, or issuer, so the presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind LDAP Injection, exploring the environment and enumerating data. The exploit depends on the structure of the target LDAP directory as well as what kind of errors are exposed to the user.
Solution
red-hat-jboss-eap-upgrade-latest
References
- CWE-295
- CVE-2023-33201
- https://attackerkb.com/topics/CVE-2023-33201
- https://access.redhat.com/security/cve/CVE-2023-33201
- https://bugzilla.redhat.com/show_bug.cgi?id=2215465
- https://github.com/bcgit/bc-java/wiki/CVE-2023-33201
- https://access.redhat.com/errata/RHSA-2023:5484
- https://access.redhat.com/errata/RHSA-2023:5485
- https://access.redhat.com/errata/RHSA-2023:5486
- https://access.redhat.com/errata/RHSA-2023:5488
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2023-2081
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.