CVE-2016-1000346

CWE-320 CWE-32510 documents8 sources

Severity

3.7LOW

EPSS

1.0%

top 23.49%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Bouncycastle Bc-java Debian Debian Linux

Timeline

PublishedJun 4

Latest updateOct 17

Description

In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4

Affected Packages5 packages

▶Mavenorg.bouncycastle:bcprov-jdk14< 1.56

▶Mavenorg.bouncycastle:bcprov-jdk15< 1.56

▶Mavenorg.bouncycastle:bcprov-jdk15on< 1.56

▶Debianbouncycastle< 1.56-1+3

▶NVDbouncycastle/bc-java1.55

Also affects: Debian Linux 8.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

In Bouncy Castle JCE Provider the other party DH public key is not fully validated↗2018-10-17

▶

OSV

In Bouncy Castle JCE Provider the other party DH public key is not fully validated↗2018-10-17

▶

CVEList

CVE-2016-1000346: In the Bouncy Castle JCE Provider version 1↗2018-06-04

▶

OSV

CVE-2016-1000346: In the Bouncy Castle JCE Provider version 1↗2018-06-04

▶

📋Vendor Advisories

Ubuntu

Bouncy Castle vulnerabilities↗2018-08-01

▶

Red Hat

bouncycastle: Other party DH public keys are not fully validated↗2016-10-29

▶

Debian

CVE-2016-1000346: bouncycastle - In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH pu...↗2016

▶

💬Community

Bugzilla

CVE-2016-1000346 bouncycastle: Other party DH public keys are not fully validated↗2018-06-07

▶

Bugzilla

CVE-2016-1000346 bouncycastle: Other party DH public keys are not fully validated [epel-6]↗2018-06-07

▶