Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2016-1000338

Опубликовано: 15 окт. 2016
Источник: redhat
CVSS3: 4.8
EPSS Низкий

Описание

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Отчет

This issue affects the versions of bouncycastle as shipped with Red Hat Subscription Asset Manager 1.x. Red Hat Product Security has rated this issue as having a security impact of Moderate. No update is planned for this product at this time. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
JBoss Developer Studio 11bouncycastleNot affected
Red Hat JBoss Data Grid 7bouncycastleNot affected
Red Hat JBoss Data Virtualization 6bouncycastleOut of support scope
Red Hat JBoss Enterprise Application Platform 7bouncycastleNot affected
Red Hat JBoss Fuse 6bouncycastleWill not fix
Red Hat JBoss Fuse Integration Service 2bouncycastleNot affected
Red Hat OpenShift Application RuntimesbouncycastleNot affected
Red Hat Single Sign-On 7bouncycastleNot affected
Red Hat Software Collectionsrh-eclipse46-bouncycastleWill not fix
Red Hat Subscription Asset ManagerbouncycastleNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-325
https://bugzilla.redhat.com/show_bug.cgi?id=1588313bouncycastle: DSA does not fully validate ASN.1 encoding during signature verification allowing for injection of unsigned data

EPSS

Процентиль: 65%
0.00485
Низкий

4.8 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2016-1000338

CVSS3: 7.5
ubuntu
больше 7 лет назад

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

nvd логотип

CVE-2016-1000338

CVSS3: 7.5
nvd
больше 7 лет назад

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

debian логотип

CVE-2016-1000338

CVSS3: 7.5
debian
больше 7 лет назад

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does no ...

github логотип

GHSA-4vhj-98r6-424h

CVSS3: 7.5
github
больше 7 лет назад

In Bouncy Castle JCE Provider it is possible to inject extra elements in the sequence making up the signature and still have it validate

suse-cvrf логотип

openSUSE-SU-2018:1689-1

suse-cvrf
больше 7 лет назад

Security update for bouncycastle

EPSS

Процентиль: 65%
0.00485
Низкий

4.8 Medium

CVSS3