Skip to content

[GHSA-574f-3g2m-x479] Use of a Broken or Risky Cryptographic Algorithm...#7767

Open
simon-reisinger-dynatrace wants to merge 1 commit into
simon-reisinger-dynatrace/advisory-improvement-7767from
simon-reisinger-dynatrace-GHSA-574f-3g2m-x479
Open

[GHSA-574f-3g2m-x479] Use of a Broken or Risky Cryptographic Algorithm...#7767
simon-reisinger-dynatrace wants to merge 1 commit into
simon-reisinger-dynatrace/advisory-improvement-7767from
simon-reisinger-dynatrace-GHSA-574f-3g2m-x479

Conversation

@simon-reisinger-dynatrace
Copy link
Copy Markdown

@simon-reisinger-dynatrace simon-reisinger-dynatrace commented May 20, 2026

Updates

  • Affected products
  • CVSS v4
  • Description
  • Severity
  • Source code location
  • Summary

Comments

  • Added the missing affected packages
  • Extended the description
  • Updated the CVSS 4 vector

Copilot AI review requested due to automatic review settings May 20, 2026 10:26
@github-actions github-actions Bot changed the base branch from main to simon-reisinger-dynatrace/advisory-improvement-7767 May 20, 2026 10:27
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates GHSA-574f-3g2m-x479’s advisory content to better describe the cryptographic impact and to enumerate affected Maven artifacts, along with revised CVSS v4 and severity metadata.

Changes:

  • Added a summary and expanded details describing the CTR counter wrap/keystream reuse impact and fix behavior.
  • Populated affected with Maven coordinates and version ranges for multiple Bouncy Castle provider artifacts.
  • Updated CVSS v4 vector and adjusted database_specific.severity.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread advisories/unreviewed/2026/04/GHSA-574f-3g2m-x479/GHSA-574f-3g2m-x479.json
"type": "ECOSYSTEM",
"events": [
{
"introduced": "1.59"
Copy link
Copy Markdown
Author

@simon-reisinger-dynatrace simon-reisinger-dynatrace May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maven Central does not yet list a published 1.84 version for this package. See https://repo1.maven.org/maven2/org/bouncycastle/bcprov-jdk15on. Therefore, we can't be sure whether a future 1.84 version would fix the vulnerability.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@simon-reisinger-dynatrace