CVE-2016-1000341 – org.bouncycastle:bcprov-jdk14

Package

Manager: maven
Name: org.bouncycastle:bcprov-jdk14
Vulnerable Version: >=0 <1.56

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01291 pctl0.78898

Details

Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15 In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.

Metadata

Created: 2018-10-17T16:24:00Z
Modified: 2021-09-17T14:46:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-r9ch-m4fh-fc7q/GHSA-r9ch-m4fh-fc7q.json
CWE IDs: []
Alternative ID: GHSA-r9ch-m4fh-fc7q
Finding: F115
Auto approve: 1