CVE-2016-1000338: Improper Verification of Cryptographic Signature

October 17, 2018 (updated May 14, 2024)

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of ‘invisible’ data into a signed structure.

References

github.com/advisories/GHSA-4vhj-98r6-424h
github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f
nvd.nist.gov/vuln/detail/CVE-2016-1000338

Detect and mitigate CVE-2016-1000338 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →