Primary

Context

oviva epa4all-client ECDSA Signature Verification Vulnerability in SignedPublicKeysTrustValidator

Vulnerability

Patched

A vulnerability exists in the oviva epa4all-client Java library, specifically in versions prior to 1.2.1. The issue arises in the SignedPublicKeysTrustValidatorImpl.isTrusted() method, where the ECDSA signature verification improperly ignores the boolean result of the Signature.verify() call. Although the method conducts certificate chain validation, OCSP checks, and sets up the signature algorithm, it fails to verify if the signature actually corresponds. As a result, the method returns true for any structurally valid signature, creating a trust validation bypass.

Impact

This vulnerability allows for a bypass of ECDSA signature verification, enabling the acceptance of invalid signatures as valid. This could lead to unauthorized actions being performed or trusted entities being falsely validated.

Remediation

Users can upgrade to version 1.2.1 or later to address this vulnerability.

Added: May 26, 2026, 11:46 PM

Updated: May 26, 2026, 11:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.6

remediation

0.0

relevance

9.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.6

remediation

0.0

relevance

9.6

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

oviva epa4all-client ECDSA Signature Verification Vulnerability in SignedPublicKeysTrustValidator

Vulnerability

Impact

Remediation

Affected Products

oviva-ag epa4all-client

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating