[pas]

You might remember that JDK 15-18 versions shipped to GA with a bug that accepted (0,0) as valid key for ECDSA.

https://news.ycombinator.com/item?id=31089216 ... and it's not like there wasn't a FOSS test suite for this.

[mm2023]

It was worse, it wasn't a (0,0) key it accepted. If that was all then you could blame the user for loading in a bad key etc. No the vuln was that it accepted (0,0) as being a valid signature over any text and validated using any public key! So you could forge any signature by simply using (0,0) as the sig itself!