PT-2018-4632 · Bouncy Castle+3 · Bouncy Castle Jce Provider+4
Published
2018-06-01
·
Updated
2025-05-05
·
CVE-2016-1000338
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Bouncy Castle JCE Provider versions 1.55 and earlier
Description
The issue concerns the DSA in the Bouncy Castle JCE Provider, which does not fully validate ASN.1 encoding of a signature during verification. This allows for the injection of extra elements into the sequence that makes up the signature, enabling it to still validate. In some cases, this could allow the introduction of 'invisible' data into a signed structure.
Recommendations
For Bouncy Castle JCE Provider versions 1.55 and earlier, update to a version later than 1.55 to resolve the issue.
At the moment, there is no information about a newer version that contains a fix for this vulnerability in Jira Work Management and Jira Software.
Fix
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Bouncy Castle Jce Provider
Jira
Jira Work Management
Suse
Ubuntu