Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15

2018-10-17T16:27:50
ID GHSA-4MV7-CQ75-3QJM
Type github
Reporter GitHub Advisory Database
Modified 2019-07-03T21:02:04

Description

The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."