CVE-2016-1000338 – org.bouncycastle:bcprov-jdk15

Package

Manager: maven
Name: org.bouncycastle:bcprov-jdk15
Vulnerable Version: >=1.38 <1.56

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0043 pctl0.61722

Details

In Bouncy Castle JCE Provider it is possible to inject extra elements in the sequence making up the signature and still have it validate In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Metadata

Created: 2018-10-17T16:23:26Z
Modified: 2024-08-29T16:17:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-4vhj-98r6-424h/GHSA-4vhj-98r6-424h.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-4vhj-98r6-424h
Finding: F163
Auto approve: 1