WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2016-1000345 Vulnerability in maven package org.bouncycastle:bcprov-jdk15on

Description

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.

Remediation

References

https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35#diff-4439ce586bf9a13bfec05c0d113b8098

https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html

https://usn.ubuntu.com/3727-1/

https://access.redhat.com/errata/RHSA-2018:2669

https://access.redhat.com/errata/RHSA-2018:2927

https://security.netapp.com/advisory/ntap-20181127-0004/

https://www.oracle.com/security-alerts/cpuoct2020.html

Related Vulnerabilities

CVE-2023-29209 Vulnerability in maven package org.xwiki.platform:xwiki-platform-legacy-notification-activitymacro

CVE-2017-16006 Vulnerability in npm package remarkable

CVE-2020-7689 Vulnerability in npm package bcrypt

CVE-2021-21295 Vulnerability in maven package io.netty:netty-codec-http2

CVE-2022-35204 Vulnerability in npm package vite

Severity

Medium

Classification

CWE-361 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Patch Third Party Advisory