CVE-2016-1000342: Improper Verification of Cryptographic Signature

October 17, 2018 (updated September 16, 2021)

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of ‘invisible’ data into a signed structure.

References

github.com/advisories/GHSA-qcj7-g2j5-g7r3
github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647
nvd.nist.gov/vuln/detail/CVE-2016-1000342

Detect and mitigate CVE-2016-1000342 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →