CVE-2016-1000352

In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.

Published: Jun 4, 2018
Updated: May 9, 2024
CVE: CVE-2016-1000352
GHSA: GHSA-w285-wf9q-5w69
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.4
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v2:

Severity: Medium
Score: 5.8
AV:N/AC:M/Au:N/C:P/I:P/A:N

CWEs:

CWE-326
CWE-310

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
org.bouncycastle / bcprov-jdk14	-	1.56
org.bouncycastle / bcprov-jdk15	-	1.56
bouncycastle / bc-java	-	1.55.x

https://access.redhat.com/errata/RHSA-2018:2669
https://access.redhat.com/errata/RHSA-2018:2927
https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f
https://security.netapp.com/advisory/ntap-20181127-0004/
https://www.oracle.com/security-alerts/cpuoct2020.html

Vulnerability Database

289,599

CVE-2016-1000352