CVE-2016-1000343: Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

October 17, 2018 (updated September 17, 2021)

In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.

References

github.com/advisories/GHSA-rrvx-pwf8-p59p
github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389
nvd.nist.gov/vuln/detail/CVE-2016-1000343

Detect and mitigate CVE-2016-1000343 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →