Moderate severityNVD Advisory· Published Nov 9, 2015· Updated Jun 17, 2026
CVE-2015-7940
CVE-2015-7940
Description
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.bouncycastle:bcprov-jdk15Maven | < 1.51 | 1.51 |
org.bouncycastle:bcprov-jdk14Maven | < 1.51 | 1.51 |
org.bouncycastle:bcprov-jdk15onMaven | < 1.51 | 1.51 |
Affected products
16- cpe:2.3:a:bouncycastle:bouncy_castle_crypto_package:*:*:*:*:*:*:*:*Range: <=1.50
cpe:2.3:a:oracle:application_testing_suite:12.5.0.1:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:oracle:application_testing_suite:12.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:12.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:enterprise_manager_ops_center:12.1.4:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.54:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.54:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:virtual_desktop_infrastructure:3.5.2:*:*:*:*:*:*:*
- ghsa-coords4 versionspkg:maven/org.bouncycastle/bcprov-jdk14pkg:maven/org.bouncycastle/bcprov-jdk15pkg:maven/org.bouncycastle/bcprov-jdk15onpkg:rpm/opensuse/bouncycastle&distro=openSUSE%20Tumbleweed
< 1.51+ 3 more
- (no CPE)range: < 1.51
- (no CPE)range: < 1.51
- (no CPE)range: < 1.51
- (no CPE)range: < 1.54-1.2
Patches
Vulnerability mechanics
References
24- lists.opensuse.org/opensuse-security-announce/2015-11/msg00012.htmlnvdThird Party AdvisoryWEB
- www.openwall.com/lists/oss-security/2015/10/22/7nvdThird Party AdvisoryVDB EntryWEB
- www.openwall.com/lists/oss-security/2015/10/22/9nvdThird Party AdvisoryVDB EntryWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.htmlnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-4mv7-cq75-3qjmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-7940ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2016-January/174915.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2035.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-2036.htmlnvdWEB
- web-in-security.blogspot.ca/2015/09/practical-invalid-curve-attacks.htmlnvdTechnical DescriptionWEB
- www.debian.org/security/2015/dsa-3417nvdWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlnvdWEB
- www.securityfocus.com/bid/79091nvdWEB
- www.securitytracker.com/id/1037036nvdWEB
- www.securitytracker.com/id/1037046nvdWEB
- www.securitytracker.com/id/1037053nvdWEB
- usn.ubuntu.com/3727-1ghsaWEB
- www.oracle.com/security-alerts/cpuapr2020.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.htmlnvdWEB
- usn.ubuntu.com/3727-1/nvd
News mentions
0No linked articles in our index yet.