CVE-2023-33201: 
Java vulnerability analysis and mitigation

Bouncy Castle for Java versions prior to 1.74 contains an LDAP injection vulnerability (CVE-2023-33201). The vulnerability specifically affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. The issue was discovered and disclosed in July 2023 (NVD).

During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information through LDAP injection attacks. The vulnerability allows a malicious user to obtain unauthorized information via blind LDAP Injection, potentially exploring the environment and enumerating data (Red Hat).

The vulnerability has been fixed in Bouncy Castle version 1.74 and later. Organizations using affected versions should upgrade to version 1.74 or later to address this security issue. For Debian 10 buster, the fix has been implemented in version 1.60-1+deb10u1 (Debian Advisory).