{"url":"http://public2.vulnerablecode.io/api/packages/226239?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.40","type":"maven","namespace":"org.bouncycastle","name":"bcprov-jdk15","version":"1.40","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40320?format=json","vulnerability_id":"VCID-2pjq-5np3-buhj","summary":"In Bouncy Castle JCE Provider it is possible to inject extra elements in the sequence making up the signature and still have it validate\nIn Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2927","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000338.json","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000338.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000338","reference_id":"","reference_type":"","scores":[{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.59245","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.59227","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.59249","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.59253","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00381","scoring_system":"epss","scoring_elements":"0.59848","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000338"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000338"},{"reference_url":"https://github.com/bcgit/bc-java","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java"},{"reference_url":"https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647"},{"reference_url":"https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/b0c3ce99d43d73a096268831d0d120ffc89eac7f#diff-3679f5a9d2b939d0d3ee1601a7774fb0"},{"reference_url":"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20231006-0011","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20231006-0011"},{"reference_url":"https://usn.ubuntu.com/3727-1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/3727-1"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588313","reference_id":"1588313","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588313"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000338","reference_id":"CVE-2016-1000338","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000338"},{"reference_url":"https://github.com/advisories/GHSA-4vhj-98r6-424h","reference_id":"GHSA-4vhj-98r6-424h","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4vhj-98r6-424h"},{"reference_url":"https://usn.ubuntu.com/3727-1/","reference_id":"USN-3727-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3727-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56695?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.56","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.56"}],"aliases":["CVE-2016-1000338","GHSA-4vhj-98r6-424h"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2pjq-5np3-buhj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40341?format=json","vulnerability_id":"VCID-5pwz-mdv3-dkak","summary":"Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15\nIn the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2927","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000345.json","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000345.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000345","reference_id":"","reference_type":"","scores":[{"value":"0.00802","scoring_system":"epss","scoring_elements":"0.74483","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00802","scoring_system":"epss","scoring_elements":"0.74453","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00802","scoring_system":"epss","scoring_elements":"0.74445","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00802","scoring_system":"epss","scoring_elements":"0.74477","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00802","scoring_system":"epss","scoring_elements":"0.74471","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000345"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345"},{"reference_url":"https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35"},{"reference_url":"https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35#diff-4439ce586bf9a13bfec05c0d113b8098","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/21dcb3d9744c83dcf2ff8fcee06dbca7bfa4ef35#diff-4439ce586bf9a13bfec05c0d113b8098"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20181127-0004","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20181127-0004"},{"reference_url":"https://usn.ubuntu.com/3727-1","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/3727-1"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588323","reference_id":"1588323","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588323"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000345","reference_id":"CVE-2016-1000345","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000345"},{"reference_url":"https://github.com/advisories/GHSA-9gp4-qrff-c648","reference_id":"GHSA-9gp4-qrff-c648","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9gp4-qrff-c648"},{"reference_url":"https://usn.ubuntu.com/3727-1/","reference_id":"USN-3727-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3727-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56695?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.56","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.56"}],"aliases":["CVE-2016-1000345","GHSA-9gp4-qrff-c648"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5pwz-mdv3-dkak"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40310?format=json","vulnerability_id":"VCID-72cc-rqu5-hub5","summary":"In Bouncy Castle JCE Provider the other party DH public key is not fully validated\nIn the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2927","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000346.json","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000346.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000346","reference_id":"","reference_type":"","scores":[{"value":"0.00962","scoring_system":"epss","scoring_elements":"0.76869","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00962","scoring_system":"epss","scoring_elements":"0.76883","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00962","scoring_system":"epss","scoring_elements":"0.76891","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00962","scoring_system":"epss","scoring_elements":"0.7688","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00989","scoring_system":"epss","scoring_elements":"0.7721","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000346"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346"},{"reference_url":"https://github.com/bcgit/bc-java","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java"},{"reference_url":"https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495"},{"reference_url":"https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495#diff-d525a20b8acaed791ae2f0f770eb5937","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/1127131c89021612c6eefa26dbe5714c194e7495#diff-d525a20b8acaed791ae2f0f770eb5937"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20181127-0004","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20181127-0004"},{"reference_url":"https://usn.ubuntu.com/3727-1","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/3727-1"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588327","reference_id":"1588327","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588327"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000346","reference_id":"CVE-2016-1000346","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000346"},{"reference_url":"https://github.com/advisories/GHSA-fjqm-246c-mwqg","reference_id":"GHSA-fjqm-246c-mwqg","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-fjqm-246c-mwqg"},{"reference_url":"https://usn.ubuntu.com/3727-1/","reference_id":"USN-3727-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3727-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56695?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.56","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.56"}],"aliases":["CVE-2016-1000346","GHSA-fjqm-246c-mwqg"],"risk_score":2.1,"exploitability":"0.5","weighted_severity":"4.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-72cc-rqu5-hub5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40353?format=json","vulnerability_id":"VCID-bf8c-jrdf-mfaw","summary":"In Bouncy Castle JCE Provider the DHIES implementation allowed the use of ECB mode\nIn the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2927","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000344.json","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000344.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000344","reference_id":"","reference_type":"","scores":[{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60223","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60242","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60259","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60272","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60269","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000344"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344"},{"reference_url":"https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f"},{"reference_url":"https://security.netapp.com/advisory/ntap-20181127-0004","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20181127-0004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588314","reference_id":"1588314","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588314"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000344","reference_id":"CVE-2016-1000344","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000344"},{"reference_url":"https://github.com/advisories/GHSA-2j2x-hx4g-2gf4","reference_id":"GHSA-2j2x-hx4g-2gf4","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2j2x-hx4g-2gf4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56695?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.56","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.56"}],"aliases":["CVE-2016-1000344","GHSA-2j2x-hx4g-2gf4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bf8c-jrdf-mfaw"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40314?format=json","vulnerability_id":"VCID-cjnx-86t9-uufs","summary":"In Bouncy Castle JCE Provider the ECIES implementation allowed the use of ECB mode\nIn the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2927","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000352.json","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000352.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000352","reference_id":"","reference_type":"","scores":[{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60272","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60223","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60242","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60269","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00388","scoring_system":"epss","scoring_elements":"0.60259","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000352"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000352","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000352"},{"reference_url":"https://github.com/bcgit/bc-java","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java"},{"reference_url":"https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/9385b0ebd277724b167fe1d1456e3c112112be1f"},{"reference_url":"https://security.netapp.com/advisory/ntap-20181127-0004","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20181127-0004"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588330","reference_id":"1588330","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588330"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000352","reference_id":"CVE-2016-1000352","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000352"},{"reference_url":"https://github.com/advisories/GHSA-w285-wf9q-5w69","reference_id":"GHSA-w285-wf9q-5w69","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-w285-wf9q-5w69"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56695?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.56","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.56"}],"aliases":["CVE-2016-1000352","GHSA-w285-wf9q-5w69"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cjnx-86t9-uufs"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40313?format=json","vulnerability_id":"VCID-cnvy-kp5d-pkes","summary":"Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15\nIn the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2927","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000339.json","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000339.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000339","reference_id":"","reference_type":"","scores":[{"value":"0.01119","scoring_system":"epss","scoring_elements":"0.78586","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01119","scoring_system":"epss","scoring_elements":"0.78572","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01119","scoring_system":"epss","scoring_elements":"0.78599","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01119","scoring_system":"epss","scoring_elements":"0.78607","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01119","scoring_system":"epss","scoring_elements":"0.78597","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000339"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339"},{"reference_url":"https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b"},{"reference_url":"https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b867ba7542430cd2ef0","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/413b42f4d770456508585c830cfcde95f9b0e93b#diff-54656f860db94b867ba7542430cd2ef0"},{"reference_url":"https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02aeb76b6c005632943f2","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/8a73f08931450c17c749af067b6a8185abdfd2c0#diff-494fb066bed02aeb76b6c005632943f2"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20181127-0004","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20181127-0004"},{"reference_url":"https://usn.ubuntu.com/3727-1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/3727-1"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588695","reference_id":"1588695","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588695"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000339","reference_id":"CVE-2016-1000339","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000339"},{"reference_url":"https://github.com/advisories/GHSA-c8xf-m4ff-jcxj","reference_id":"GHSA-c8xf-m4ff-jcxj","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-c8xf-m4ff-jcxj"},{"reference_url":"https://usn.ubuntu.com/3727-1/","reference_id":"USN-3727-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3727-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56695?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.56","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.56"}],"aliases":["CVE-2016-1000339","GHSA-c8xf-m4ff-jcxj"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cnvy-kp5d-pkes"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/54386?format=json","vulnerability_id":"VCID-crd1-k1qv-jkec","summary":"Observable Differences in Behavior to Error Inputs in Bouncy Castle\nIn Legion of the Bouncy Castle BC before 1.55 and BC-FJA before 1.0.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26939","reference_id":"","reference_type":"","scores":[{"value":"0.02437","scoring_system":"epss","scoring_elements":"0.85444","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02437","scoring_system":"epss","scoring_elements":"0.85454","published_at":"2026-06-08T12:55:00Z"},{"value":"0.02437","scoring_system":"epss","scoring_elements":"0.85473","published_at":"2026-06-06T12:55:00Z"},{"value":"0.02437","scoring_system":"epss","scoring_elements":"0.85468","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-26939"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26939","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26939"},{"reference_url":"https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1"},{"reference_url":"https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00007.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00007.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20201202-0005","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20201202-0005"},{"reference_url":"https://github.com/bcgit/bc-java/wiki/CVE-2020-26939","reference_id":"CVE-2020-26939","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/wiki/CVE-2020-26939"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26939","reference_id":"CVE-2020-26939","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-26939"},{"reference_url":"https://github.com/advisories/GHSA-72m5-fvvv-55m6","reference_id":"GHSA-72m5-fvvv-55m6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-72m5-fvvv-55m6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80420?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.61","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.61"}],"aliases":["CVE-2020-26939","GHSA-72m5-fvvv-55m6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-crd1-k1qv-jkec"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40298?format=json","vulnerability_id":"VCID-k31z-bskx-uuc9","summary":"Bouncy Castle has a flaw in the Low-level interface to RSA key pair generator\nBouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2423","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2423"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2424","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2424"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2425","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2425"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2428","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2428"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2643","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2643"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:0877","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2019:0877"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000180.json","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000180.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1000180","reference_id":"","reference_type":"","scores":[{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54493","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54514","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0031","scoring_system":"epss","scoring_elements":"0.54524","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00319","scoring_system":"epss","scoring_elements":"0.55201","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1000180"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55ad","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/22467b6e8fe19717ecdf201c0cf91bacf04a55ad"},{"reference_url":"https://github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/73780ac522b7795fc165630aba8d5f5729acc839"},{"reference_url":"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20190204-0003","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20190204-0003"},{"reference_url":"https://www.bountysource.com/issues/58293083-rsa-key-generation-computation-of-iterations-for-mr-primality-test","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.bountysource.com/issues/58293083-rsa-key-generation-computation-of-iterations-for-mr-primality-test"},{"reference_url":"https://www.debian.org/security/2018/dsa-4233","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4233"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"http://www.securityfocus.com/bid/106567","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/106567"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588306","reference_id":"1588306","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588306"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900843","reference_id":"900843","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900843"},{"reference_url":"https://github.com/bcgit/bc-java/wiki/CVE-2018-1000180","reference_id":"CVE-2018-1000180","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/wiki/CVE-2018-1000180"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000180","reference_id":"CVE-2018-1000180","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000180"},{"reference_url":"https://github.com/advisories/GHSA-xqj7-j8j5-f2xr","reference_id":"GHSA-xqj7-j8j5-f2xr","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xqj7-j8j5-f2xr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56655?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.60","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.60"}],"aliases":["CVE-2018-1000180","GHSA-xqj7-j8j5-f2xr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k31z-bskx-uuc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40324?format=json","vulnerability_id":"VCID-qap8-a94t-3yac","summary":"Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15\nThe Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an \"invalid curve attack.\"","references":[{"reference_url":"http://git.bouncycastle.org/repositories/bc-java/commit/5cb2f0578e6ec8f0d67e59d05d8c4704d8e05f83","reference_id":"","reference_type":"","scores":[],"url":"http://git.bouncycastle.org/repositories/bc-java/commit/5cb2f0578e6ec8f0d67e59d05d8c4704d8e05f83"},{"reference_url":"http://git.bouncycastle.org/repositories/bc-java/commit/e25e94a046a6934819133886439984e2fecb2b04","reference_id":"","reference_type":"","scores":[],"url":"http://git.bouncycastle.org/repositories/bc-java/commit/e25e94a046a6934819133886439984e2fecb2b04"},{"reference_url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2016-2035.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2016-2035.html"},{"reference_url":"http://rhn.redhat.com/errata/RHSA-2016-2036.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://rhn.redhat.com/errata/RHSA-2016-2036.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7940.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-7940.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7940","reference_id":"","reference_type":"","scores":[{"value":"0.00972","scoring_system":"epss","scoring_elements":"0.77005","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00972","scoring_system":"epss","scoring_elements":"0.76976","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00972","scoring_system":"epss","scoring_elements":"0.76995","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00972","scoring_system":"epss","scoring_elements":"0.77008","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00972","scoring_system":"epss","scoring_elements":"0.77018","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2015-7940"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940"},{"reference_url":"https://usn.ubuntu.com/3727-1","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/3727-1"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2020.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"reference_url":"http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.html"},{"reference_url":"http://www.debian.org/security/2015/dsa-3417","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2015/dsa-3417"},{"reference_url":"http://www.openwall.com/lists/oss-security/2015/10/22/7","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2015/10/22/7"},{"reference_url":"http://www.openwall.com/lists/oss-security/2015/10/22/9","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2015/10/22/9"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html"},{"reference_url":"http://www.securityfocus.com/bid/79091","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securityfocus.com/bid/79091"},{"reference_url":"http://www.securitytracker.com/id/1037036","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securitytracker.com/id/1037036"},{"reference_url":"http://www.securitytracker.com/id/1037046","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securitytracker.com/id/1037046"},{"reference_url":"http://www.securitytracker.com/id/1037053","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.securitytracker.com/id/1037053"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1276272","reference_id":"1276272","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1276272"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802671","reference_id":"802671","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802671"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7940","reference_id":"CVE-2015-7940","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2015-7940"},{"reference_url":"https://github.com/advisories/GHSA-4mv7-cq75-3qjm","reference_id":"GHSA-4mv7-cq75-3qjm","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4mv7-cq75-3qjm"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:2035","reference_id":"RHSA-2016:2035","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:2035"},{"reference_url":"https://access.redhat.com/errata/RHSA-2016:2036","reference_id":"RHSA-2016:2036","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2016:2036"},{"reference_url":"https://usn.ubuntu.com/3727-1/","reference_id":"USN-3727-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3727-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56746?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.51","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rh2m-yftg-7uc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.51"}],"aliases":["CVE-2015-7940","GHSA-4mv7-cq75-3qjm"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qap8-a94t-3yac"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40318?format=json","vulnerability_id":"VCID-sxxg-bjnq-2kf7","summary":"Moderate severity vulnerability that affects org.bouncycastle:bcprov-jdk14 and org.bouncycastle:bcprov-jdk15\nIn the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2927","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000341.json","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000341.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000341","reference_id":"","reference_type":"","scores":[{"value":"0.00802","scoring_system":"epss","scoring_elements":"0.74483","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00802","scoring_system":"epss","scoring_elements":"0.74453","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00802","scoring_system":"epss","scoring_elements":"0.74471","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00802","scoring_system":"epss","scoring_elements":"0.74445","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00802","scoring_system":"epss","scoring_elements":"0.74477","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000341"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341"},{"reference_url":"https://github.com/bcgit/bc-java","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java"},{"reference_url":"https://github.com/bcgit/bc-java/commit/acaac81f96fec91ab45bd0412beaf9c3acd8defa","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bcgit/bc-java/commit/acaac81f96fec91ab45bd0412beaf9c3acd8defa"},{"reference_url":"https://github.com/bcgit/bc-java/commit/acaac81f96fec91ab45bd0412beaf9c3acd8defa#diff-e75226a9ca49217a7276b29242ec59ce","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/acaac81f96fec91ab45bd0412beaf9c3acd8defa#diff-e75226a9ca49217a7276b29242ec59ce"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20181127-0004","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20181127-0004"},{"reference_url":"https://usn.ubuntu.com/3727-1","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/3727-1"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588708","reference_id":"1588708","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588708"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000341","reference_id":"CVE-2016-1000341","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000341"},{"reference_url":"https://github.com/advisories/GHSA-r9ch-m4fh-fc7q","reference_id":"GHSA-r9ch-m4fh-fc7q","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-r9ch-m4fh-fc7q"},{"reference_url":"https://usn.ubuntu.com/3727-1/","reference_id":"USN-3727-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3727-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56695?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.56","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.56"}],"aliases":["CVE-2016-1000341","GHSA-r9ch-m4fh-fc7q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sxxg-bjnq-2kf7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/41310?format=json","vulnerability_id":"VCID-txmh-5548-ckdg","summary":"Timing based private key exposure in Bouncy Castle\nBouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.2.1, BC before 1.66, BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15522.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-15522.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15522","reference_id":"","reference_type":"","scores":[{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.61243","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.61267","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.61274","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00403","scoring_system":"epss","scoring_elements":"0.61261","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00414","scoring_system":"epss","scoring_elements":"0.61955","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-15522"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210622-0007","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210622-0007"},{"reference_url":"https://www.bouncycastle.org/releasenotes.html","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.bouncycastle.org/releasenotes.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1962879","reference_id":"1962879","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1962879"},{"reference_url":"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522","reference_id":"CVE-2020-15522","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-csharp/wiki/CVE-2020-15522"},{"reference_url":"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522","reference_id":"CVE-2020-15522","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/wiki/CVE-2020-15522"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15522","reference_id":"CVE-2020-15522","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-15522"},{"reference_url":"https://github.com/advisories/GHSA-6xx3-rg99-gc3p","reference_id":"GHSA-6xx3-rg99-gc3p","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6xx3-rg99-gc3p"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1401","reference_id":"RHSA-2021:1401","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1401"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2755","reference_id":"RHSA-2021:2755","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2755"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:5134","reference_id":"RHSA-2021:5134","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:5134"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1013","reference_id":"RHSA-2022:1013","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1013"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1029","reference_id":"RHSA-2022:1029","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1029"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/58702?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.66","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.66"}],"aliases":["CVE-2020-15522","GHSA-6xx3-rg99-gc3p"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-txmh-5548-ckdg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40326?format=json","vulnerability_id":"VCID-ut6k-7z6d-zqh1","summary":"In Bouncy Castle JCE Provider the DSA key pair generator generates a weak private key if used with default values\nIn the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2927","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000343.json","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000343.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000343","reference_id":"","reference_type":"","scores":[{"value":"0.01074","scoring_system":"epss","scoring_elements":"0.78146","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01074","scoring_system":"epss","scoring_elements":"0.78138","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01074","scoring_system":"epss","scoring_elements":"0.78137","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01074","scoring_system":"epss","scoring_elements":"0.78112","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01074","scoring_system":"epss","scoring_elements":"0.78125","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000343"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000343","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000343"},{"reference_url":"https://github.com/bcgit/bc-java","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java"},{"reference_url":"https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389"},{"reference_url":"https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389#diff-5578e61500abb2b87b300d3114bdfd7d","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/50a53068c094d6cff37659da33c9b4505becd389#diff-5578e61500abb2b87b300d3114bdfd7d"},{"reference_url":"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20181127-0004","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20181127-0004"},{"reference_url":"https://usn.ubuntu.com/3727-1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/3727-1"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588721","reference_id":"1588721","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588721"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000343","reference_id":"CVE-2016-1000343","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000343"},{"reference_url":"https://github.com/advisories/GHSA-rrvx-pwf8-p59p","reference_id":"GHSA-rrvx-pwf8-p59p","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rrvx-pwf8-p59p"},{"reference_url":"https://usn.ubuntu.com/3727-1/","reference_id":"USN-3727-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3727-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56695?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.56","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.56"}],"aliases":["CVE-2016-1000343","GHSA-rrvx-pwf8-p59p"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ut6k-7z6d-zqh1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40328?format=json","vulnerability_id":"VCID-v4g4-vznr-zuhp","summary":"Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-29T19:03:21Z/"}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00011.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000613.json","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000613.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1000613","reference_id":"","reference_type":"","scores":[{"value":"0.05036","scoring_system":"epss","scoring_elements":"0.89937","published_at":"2026-06-05T12:55:00Z"},{"value":"0.05036","scoring_system":"epss","scoring_elements":"0.89934","published_at":"2026-06-08T12:55:00Z"},{"value":"0.05036","scoring_system":"epss","scoring_elements":"0.89938","published_at":"2026-06-06T12:55:00Z"},{"value":"0.05036","scoring_system":"epss","scoring_elements":"0.89921","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1000613"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/bcgit/bc-java","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java"},{"reference_url":"https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223"},{"reference_url":"https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-29T19:03:21Z/"}],"url":"https://github.com/bcgit/bc-java/commit/4092ede58da51af9a21e4825fbad0d9a3ef5a223#diff-2c06e2edef41db889ee14899e12bd574"},{"reference_url":"https://github.com/bcgit/bc-java/commit/cc9f91c41be67e88fca4e38f4872418448950fd9","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/cc9f91c41be67e88fca4e38f4872418448950fd9"},{"reference_url":"https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6"},{"reference_url":"https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-29T19:03:21Z/"}],"url":"https://github.com/bcgit/bc-java/commit/cd98322b171b15b3f88c5ec871175147893c31e6#diff-148a6c098af0199192d6aede960f45dc"},{"reference_url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-29T19:03:21Z/"}],"url":"https://lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E"},{"reference_url":"https://security.netapp.com/advisory/ntap-20190204-0003","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20190204-0003"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2020.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-29T19:03:21Z/"}],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-29T19:03:21Z/"}],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-29T19:03:21Z/"}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-29T19:03:21Z/"}],"url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-29T19:03:21Z/"}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-29T19:03:21Z/"}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1601096","reference_id":"1601096","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1601096"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000613","reference_id":"CVE-2018-1000613","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1000613"},{"reference_url":"https://github.com/advisories/GHSA-4446-656p-f54g","reference_id":"GHSA-4446-656p-f54g","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-4446-656p-f54g"},{"reference_url":"https://security.netapp.com/advisory/ntap-20190204-0003/","reference_id":"ntap-20190204-0003","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-01-29T19:03:21Z/"}],"url":"https://security.netapp.com/advisory/ntap-20190204-0003/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56655?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.60","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.60"}],"aliases":["CVE-2018-1000613","GHSA-4446-656p-f54g"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-v4g4-vznr-zuhp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/46470?format=json","vulnerability_id":"VCID-we5n-w376-tkda","summary":"Uncontrolled Resource Consumption\nBouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-33202.json","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-33202.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33202","reference_id":"","reference_type":"","scores":[{"value":"0.00159","scoring_system":"epss","scoring_elements":"0.36621","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00214","scoring_system":"epss","scoring_elements":"0.44033","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00214","scoring_system":"epss","scoring_elements":"0.44057","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00214","scoring_system":"epss","scoring_elements":"0.43997","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-33202"},{"reference_url":"https://bouncycastle.org","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T17:51:39Z/"}],"url":"https://bouncycastle.org"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33202","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33202"},{"reference_url":"https://github.com/bcgit/bc-java","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java"},{"reference_url":"https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/0c576892862ed41894f49a8f639112e8d66d229c"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240125-0001","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240125-0001"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056754","reference_id":"1056754","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1056754"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2251281","reference_id":"2251281","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2251281"},{"reference_url":"https://github.com/bcgit/bc-java/wiki/CVE-2023-33202","reference_id":"CVE-2023-33202","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T17:51:39Z/"}],"url":"https://github.com/bcgit/bc-java/wiki/CVE-2023-33202"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33202","reference_id":"CVE-2023-33202","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-33202"},{"reference_url":"https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902023%E2%80%9033202","reference_id":"CVE%E2%80%902023%E2%80%9033202","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T17:51:39Z/"}],"url":"https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902023%E2%80%9033202"},{"reference_url":"https://github.com/advisories/GHSA-wjxj-5m7g-mg7q","reference_id":"GHSA-wjxj-5m7g-mg7q","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wjxj-5m7g-mg7q"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240125-0001/","reference_id":"ntap-20240125-0001","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T17:51:39Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240125-0001/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/67856?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.73","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.73"}],"aliases":["CVE-2023-33202","GHSA-wjxj-5m7g-mg7q"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-we5n-w376-tkda"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/40308?format=json","vulnerability_id":"VCID-zkjk-uddk-9qem","summary":"In Bouncy Castle JCE Provider ECDSA does not fully validate ASN.1 encoding of signature on verification\nIn the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2669","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2669"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2927","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2927"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000342.json","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-1000342.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000342","reference_id":"","reference_type":"","scores":[{"value":"0.00471","scoring_system":"epss","scoring_elements":"0.64951","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00471","scoring_system":"epss","scoring_elements":"0.6498","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00471","scoring_system":"epss","scoring_elements":"0.64992","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00471","scoring_system":"epss","scoring_elements":"0.65004","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00471","scoring_system":"epss","scoring_elements":"0.64994","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2016-1000342"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342"},{"reference_url":"https://github.com/bcgit/bc-java","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java"},{"reference_url":"https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647"},{"reference_url":"https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647#diff-25c3c78db788365f36839b3f2d3016b9","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/bcgit/bc-java/commit/843c2e60f67d71faf81d236f448ebbe56c62c647#diff-25c3c78db788365f36839b3f2d3016b9"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00009.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20181127-0004","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20181127-0004"},{"reference_url":"https://usn.ubuntu.com/3727-1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/3727-1"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588715","reference_id":"1588715","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1588715"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000342","reference_id":"CVE-2016-1000342","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2016-1000342"},{"reference_url":"https://github.com/advisories/GHSA-qcj7-g2j5-g7r3","reference_id":"GHSA-qcj7-g2j5-g7r3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qcj7-g2j5-g7r3"},{"reference_url":"https://usn.ubuntu.com/3727-1/","reference_id":"USN-3727-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3727-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56695?format=json","purl":"pkg:maven/org.bouncycastle/bcprov-jdk15@1.56","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.56"}],"aliases":["CVE-2016-1000342","GHSA-qcj7-g2j5-g7r3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zkjk-uddk-9qem"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.bouncycastle/bcprov-jdk15@1.40"}