CVE-2018-1000613 [Critical] | Security Vulnerability in Bc-Java

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-03-13	4.04%	5.04%	+0.99%
2	2025-12-28	5.45%	4.04%	-1.41%
3	2025-12-27	—	5.45%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-03-13

4.04%

5.04%

+0.99%

2025-12-28

5.45%

4.04%

-1.41%

2025-12-27

—

5.45%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
9.8	3.1	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` Click to expand Attack vector (AV:N) Could be attacked over the internet or any normal routed network—not just someone sitting at the machine. Attack complexity (AC:L) Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup. Privileges required (PR:N) No account or special rights needed—anonymous or random user is enough. User interaction (UI:N) Nobody has to click “OK” or open a trap file; it can work without a victim helping. Scope (S:U) Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems. Confidentiality (C:H) Serious risk that confidential data gets exposed in a big way. Integrity (I:H) They could widely tamper with or forge data—trust in the data is badly hurt. Availability (A:H) Could take the service down hard or make it unusable for people who depend on it.	3.9	5.9	[email protected]
7.5	2.0	HIGH	`AV:N/AC:L/Au:N/C:P/I:P/A:P` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:L) Exploitation conditions are straightforward and predictable. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:P) Partial integrity impact. Availability impact (A:P) Partial availability impact.	10.0	6.4	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

9.8

3.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand

Attack vector (AV:N): Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L): Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N): No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N): Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U): Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H): Serious risk that confidential data gets exposed in a big way.
Integrity (I:H): They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H): Could take the service down hard or make it unusable for people who depend on it.

3.9

5.9

[email protected]

7.5

2.0

HIGH

AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:L): Exploitation conditions are straightforward and predictable.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:P): Partial integrity impact.
Availability impact (A:P): Partial availability impact.

10.0

6.4

[email protected]

OS Trackers for CVE-2018-1000613

vendor	priority	summary	link
`debian`	low	CVE-2018-1000613 low priority: Debian including 1 source packages (bouncycastle), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2018-1000613
`redhat`	medium	—	https://access.redhat.com/security/cve/CVE-2018-1000613
`suse`	medium	CVE-2018-1000613 severity moderate: SUSE including 36 source package names (bouncycastle, bouncycastle-1.60-lp150.2.3.1, …), 38 product×package rows across 10 product lines (SUSE Linux Enterprise Module for Development Tools 15 SP2, SUSE Linux Enterprise Module for Development Tools 15 SP3, … (10 product lines)): Fixed 36, Known Not Affected 2.	https://www.suse.com/security/cve/CVE-2018-1000613/
`ubuntu`	medium	CVE-2018-1000613 medium priority: Ubuntu including 1 source packages (bouncycastle), 20 status rows across 20 suites (artful, bionic, cosmic, disco, eoan, focal, groovy, hirsute, impish, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 16, DNE 1, ignored 1, needed 1, released 1.	https://ubuntu.com/security/CVE-2018-1000613

Affected software / configurations for CVE-2018-1000613

References for CVE-2018-1000613

URL	Tags
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html	Mailing List Third Party Advisory
https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574	Patch
https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc	Patch
https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E	Mailing List
https://security.netapp.com/advisory/ntap-20190204-0003/	Third Party Advisory
https://www.oracle.com/security-alerts/cpuApr2021.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2020.html	Patch Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html	Patch Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html	Patch Third Party Advisory

URL

CVE-2018-1000613

Exploit prediction scoring system (EPSS) score for CVE-2018-1000613

Common vulnerability scoring system (CVSS) metrics for CVE-2018-1000613

Weakness enumeration for CVE-2018-1000613

GitHub Security Advisory for CVE-2018-1000613

OS Trackers for CVE-2018-1000613

Affected software / configurations for CVE-2018-1000613

References for CVE-2018-1000613

Vendor	Product	Version	Raw CPE
bouncycastle	bc-java	>= 1.58, < 1.60	cpe:2.3:a:bouncycastle:bc-java::::::::
netapp	oncommand_workflow_automation	—	cpe:2.3:a:netapp:oncommand_workflow_automation:-:::::::*
opensuse	leap	15.1	cpe:2.3:o:opensuse:leap:15.1:::::::*
oracle	api_gateway	11.1.2.4.0	cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:::::::*
oracle	banking_platform	2.6.0	cpe:2.3:a:oracle:banking_platform:2.6.0:::::::*
oracle	banking_platform	2.6.1	cpe:2.3:a:oracle:banking_platform:2.6.1:::::::*
oracle	banking_platform	2.6.2	cpe:2.3:a:oracle:banking_platform:2.6.2:::::::*
oracle	business_process_management_suite	11.1.1.9.0	cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:::::::*
oracle	business_process_management_suite	12.1.3.0.0	cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:::::::*
oracle	business_process_management_suite	12.2.1.3.0	cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:::::::*
oracle	business_transaction_management	12.1.0	cpe:2.3:a:oracle:business_transaction_management:12.1.0:::::::*
oracle	communications_application_session_controller	3.7.1	cpe:2.3:a:oracle:communications_application_session_controller:3.7.1:::::::*
oracle	communications_application_session_controller	3.8.0	cpe:2.3:a:oracle:communications_application_session_controller:3.8.0:::::::*
oracle	communications_converged_application_server	< 7.0.0.1	cpe:2.3:a:oracle:communications_converged_application_server::::::::
oracle	communications_converged_application_server	7.0.0.1	cpe:2.3:a:oracle:communications_converged_application_server:7.0.0.1:::::::*
oracle	communications_convergence	3.0.2	cpe:2.3:a:oracle:communications_convergence:3.0.2:::::::*
oracle	communications_diameter_signaling_router	8.0.0	cpe:2.3:a:oracle:communications_diameter_signaling_router:8.0.0:::::::*
oracle	communications_diameter_signaling_router	8.1	cpe:2.3:a:oracle:communications_diameter_signaling_router:8.1:::::::*
oracle	communications_diameter_signaling_router	8.2	cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2:::::::*
oracle	communications_diameter_signaling_router	8.2.1	cpe:2.3:a:oracle:communications_diameter_signaling_router:8.2.1:::::::*
oracle	communications_webrtc_session_controller	< 7.2	cpe:2.3:a:oracle:communications_webrtc_session_controller::::::::
oracle	communications_webrtc_session_controller	7.2	cpe:2.3:a:oracle:communications_webrtc_session_controller:7.2:::::::*
oracle	data_integrator	12.2.1.3.0	cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:::::::*
oracle	enterprise_manager_base_platform	12.1.0.5.0	cpe:2.3:a:oracle:enterprise_manager_base_platform:12.1.0.5.0:::::::*
oracle	enterprise_manager_base_platform	13.2.0.0	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.2.0.0:::::::*
oracle	enterprise_manager_base_platform	13.3.0.0	cpe:2.3:a:oracle:enterprise_manager_base_platform:13.3.0.0:::::::*
oracle	enterprise_manager_for_fusion_middleware	13.2.0.0	cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:13.2.0.0:::::::*
oracle	enterprise_manager_for_fusion_middleware	13.3.0.0	cpe:2.3:a:oracle:enterprise_manager_for_fusion_middleware:13.3.0.0:::::::*
oracle	enterprise_repository	11.1.1.7.0	cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:::::::*
oracle	enterprise_repository	12.1.3.0.0	cpe:2.3:a:oracle:enterprise_repository:12.1.3.0.0:::::::*
oracle	managed_file_transfer	12.1.3.0.0	cpe:2.3:a:oracle:managed_file_transfer:12.1.3.0.0:::::::*
oracle	managed_file_transfer	12.2.1.3.0	cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:::::::*
oracle	peoplesoft_enterprise_peopletools	8.55	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:::::::*
oracle	peoplesoft_enterprise_peopletools	8.56	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:::::::*
oracle	peoplesoft_enterprise_peopletools	8.57	cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:::::::*
oracle	retail_convenience_and_fuel_pos_software	2.8.1	cpe:2.3:a:oracle:retail_convenience_and_fuel_pos_software:2.8.1:::::::*
oracle	retail_xstore_point_of_service	7.0	cpe:2.3:a:oracle:retail_xstore_point_of_service:7.0:::::::*
oracle	retail_xstore_point_of_service	7.1	cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:::::::*
oracle	soa_suite	12.1.3.0.0	cpe:2.3:a:oracle:soa_suite:12.1.3.0.0:::::::*
oracle	soa_suite	12.2.1.3.0	cpe:2.3:a:oracle:soa_suite:12.2.1.3.0:::::::*
oracle	utilities_network_management_system	1.12.0.3	cpe:2.3:a:oracle:utilities_network_management_system:1.12.0.3:::::::*
oracle	utilities_network_management_system	2.3.0.0	cpe:2.3:a:oracle:utilities_network_management_system:2.3.0.0:::::::*
oracle	utilities_network_management_system	2.3.0.1	cpe:2.3:a:oracle:utilities_network_management_system:2.3.0.1:::::::*
oracle	utilities_network_management_system	2.3.0.2	cpe:2.3:a:oracle:utilities_network_management_system:2.3.0.2:::::::*
oracle	webcenter_portal	11.1.1.9.0	cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:::::::*
oracle	webcenter_portal	12.2.1.3.0	cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:::::::*
oracle	weblogic_server	12.2.1.3	cpe:2.3:a:oracle:weblogic_server:12.2.1.3:::::::*