CVE-2016-1000338

NVD

https://nvd.nist.gov/vuln/detail/CVE-2016-1000338

Severity

7.5

High

CVSS V3

Eliminate CVEs with Chainguard hardened images

Build, ship, and run secure software with minimal, hardened container images — rebuilt from source daily and guarded under our industry-leading remediation SLA.

Start for free

Description

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

References

https://nvd.nist.gov/vuln/detail/CVE-2016-1000338
https://github.com/advisories/GHSA-4vhj-98r6-424h
https://access.redhat.com/errata/RHSA-2018:2669
https://access.redhat.com/errata/RHSA-2018:2927
https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0
https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E
https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html
https://security.netapp.com/advisory/ntap-20231006-0011/
https://usn.ubuntu.com/3727-1/
https://www.oracle.com/security-alerts/cpuoct2020.html

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

The trusted source for open source

Talk to an expert

Privacy

Terms

CVE-2016-1000338

Severity

Description

References

Affected packages

The trusted source for open source

Product

Solutions

Customers

Resources

Company