CVE-2016-1000342

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Configurations

Configuration 1 (hide)

cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:*:*:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-06-04 13:29

Updated : 2023-12-10 12:30


NVD link : CVE-2016-1000342

Mitre link : CVE-2016-1000342

CVE.ORG link : CVE-2016-1000342


JSON object : View

Products Affected

debian

  • debian_linux

bouncycastle

  • legion-of-the-bouncy-castle-java-crytography-api
CWE
CWE-347

Improper Verification of Cryptographic Signature