CVE-2016-1000342

CWE-347CWE-295Improper Certificate Validation11 documents8 sources
Severity
7.5HIGH
EPSS
0.5%
top 35.40%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Bouncycastle Bc-javaDebian Debian Linux
Timeline
PublishedJun 4
Latest updateOct 17

Description

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages5 packages

Debianbouncycastle< 1.56-1+3

Also affects: Debian Linux 8.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
In Bouncy Castle JCE Provider ECDSA does not fully validate ASN.1 encoding of signature on verification2018-10-17
GHSA
In Bouncy Castle JCE Provider ECDSA does not fully validate ASN.1 encoding of signature on verification2018-10-17
OSV
CVE-2016-1000342: In the Bouncy Castle JCE Provider version 12018-06-04
CVEList
CVE-2016-1000342: In the Bouncy Castle JCE Provider version 12018-06-04

📋Vendor Advisories

3
Ubuntu
Bouncy Castle vulnerabilities2018-08-01
Red Hat
bouncycastle: ECDSA improper validation of ASN.1 encoding of signature2018-06-07
Debian
CVE-2016-1000342: bouncycastle - In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully ...2016

💬Community

3
Bugzilla
CVE-2016-1000342 bouncycastle: ECDSA improper validation of ASN.1 encoding of signature [epel-all]2018-06-07
Bugzilla
CVE-2016-1000342 bouncycastle: ECDSA improper validation of ASN.1 encoding of signature2018-06-07
Bugzilla
CVE-2016-1000342 bouncycastle: ECDSA improper validation of ASN.1 encoding of signature [fedora-all]2018-06-07
CVE-2016-1000342 (HIGH CVSS 7.5) | In the Bouncy Castle JCE Provider v | cvebase.io