Lucene search

K
osvGoogleOSV:GHSA-4VHJ-98R6-424H
HistoryOct 17, 2018 - 4:23 p.m.

In Bouncy Castle JCE Provider it is possible to inject extra elements in the sequence making up the signature and still have it validate

2018-10-1716:23:26
Google
osv.dev
30

0.004 Low

EPSS

Percentile

72.3%

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of β€˜invisible’ data into a signed structure.