CVE-2016-1000342 – org.bouncycastle:bcprov-jdk15

Package

Manager: maven
Name: org.bouncycastle:bcprov-jdk15
Vulnerable Version: >=0 <1.56

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00382 pctl0.58819

Details

In Bouncy Castle JCE Provider ECDSA does not fully validate ASN.1 encoding of signature on verification In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Metadata

Created: 2018-10-17T16:24:12Z
Modified: 2025-09-02T20:27:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-qcj7-g2j5-g7r3/GHSA-qcj7-g2j5-g7r3.json
CWE IDs: ["CWE-347"]
Alternative ID: GHSA-qcj7-g2j5-g7r3
Finding: F163
Auto approve: 1