CVE-2016-1000346 — LOW (3.7)

Q: How severe is CVE-2016-1000346?

CVE-2016-1000346 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-1000346?

Check the references section above for vendor advisories and patch information. Affected products include: Bouncycastle Bc-Java, Debian Debian Linux.

Vulnerability Description

In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.

CVSS Score

3.7

LOW

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Bouncycastle	Bc-Java	<= 1.55
Debian	Debian Linux	8.0

Related Weaknesses (CWE)

CWE-320

References

FAQ

What is CVE-2016-1000346?

CVE-2016-1000346 is a vulnerability with a CVSS score of 3.7 (LOW). In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other par...

How severe is CVE-2016-1000346?

CVE-2016-1000346 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-1000346?

Check the references section above for vendor advisories and patch information. Affected products include: Bouncycastle Bc-Java, Debian Debian Linux.