CVE-2015-7940

The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."

Published: Nov 9, 2015
Updated: May 9, 2024
CVE: CVE-2015-7940
GHSA: GHSA-4mv7-cq75-3qjm
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

Affected Software
References

Software	From	Fixed in
opensuse / leap	42.1	42.1.x
opensuse / opensuse	13.1	13.1.x
opensuse / opensuse	13.2	13.2.x
bouncycastle / bouncy_castle_crypto_package	-	1.50.x
oracle / peoplesoft_enterprise_peopletools	8.54	8.54.x
oracle / virtual_desktop_infrastructure	3.5.2	3.5.2.x
oracle / enterprise_manager_ops_center	12.2.2	12.2.2.x
oracle / application_testing_suite	12.5.0.2	12.5.0.2.x
oracle / application_testing_suite	12.5.0.1	12.5.0.1.x
oracle / enterprise_manager_ops_center	12.1.4	12.1.4.x
oracle / application_testing_suite	12.5.0.3	12.5.0.3.x
oracle / peoplesoft_enterprise_peopletools	8.55	8.55.x
org.bouncycastle / bcprov-jdk15	-	1.51
org.bouncycastle / bcprov-jdk14	-	1.51

Vulnerability Database

289,697

CVE-2015-7940