7.5
CVE-2016-1000338
- EPSS 0.38%
- Veröffentlicht 01.06.2018 20:29:00
- Zuletzt bearbeitet 05.05.2025 14:14:28
- Quelle cve@mitre.org
- Teams Watchlist Login
- Unerledigt Login
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Bouncycastle ≫ Legion-of-the-bouncy-castle-java-crytography-api Version >= 1.38 < 1.56
Redhat ≫ Satellite Capsule Version6.4
Canonical ≫ Ubuntu Linux Version14.04
Netapp ≫ 7-mode Transition Tool Version-
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.38% | 0.586 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:N/I:P/A:N
|
CWE-347 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.