Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.8
CVSSv2

CVE-2020-28052

Published: 18/12/2020 Updated: 07/11/2023
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 8.1 | Impact Score: 5.9 | Exploitability Score: 2.2
VMScore: 606
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Bouncycastle

Vulnerability Summary

An issue exists in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

bouncycastle legion-of-the-bouncy-castle-java-crytography-api 1.66

bouncycastle legion-of-the-bouncy-castle-java-crytography-api 1.65

apache karaf 4.3.2

oracle peoplesoft enterprise peopletools 8.56

oracle webcenter portal 12.2.1.3.0

oracle webcenter portal 11.1.1.9.0

oracle peoplesoft enterprise peopletools 8.57

oracle utilities framework 4.3.0.6.0

oracle utilities framework 4.4.0.0.0

oracle peoplesoft enterprise peopletools 8.58

oracle webcenter portal 12.2.1.4.0

oracle utilities framework 4.4.0.2.0

oracle banking extensibility workbench 14.3.0

oracle banking virtual account management 14.3.0

oracle banking credit facilities process management 14.3.0

oracle banking corporate lending process management 14.3.0

oracle communications messaging server 8.1

oracle commerce guided search 11.3.2

oracle communications messaging server 8.0.2

oracle utilities framework 4.4.0.3.0

oracle communications cloud native core network slice selection function 1.2.1

oracle communications pricing design center 12.0.0.3.0

oracle communications application session controller 3.9m0p3

oracle jd edwards enterpriseone tools

oracle banking virtual account management 14.2.0

oracle banking virtual account management 14.5.0

oracle banking supply chain finance 14.2.0

oracle banking credit facilities process management 14.2.0

oracle banking credit facilities process management 14.5.0

oracle banking corporate lending process management 14.2.0

oracle banking corporate lending process management 14.5.0

oracle communications session report manager

oracle banking supply chain finance 14.5.0

oracle banking supply chain finance 14.3.0

oracle banking extensibility workbench 14.2.0

oracle banking extensibility workbench 14.5.0

oracle communications session route manager

oracle communications convergence 3.0.2.2.0

oracle blockchain platform

Vendor Advisories

Debian CVElist Bug Report Logs: bouncycastle: CVE-2020-28052
Debian Bug report logs - #977683 bouncycastle: CVE-2020-28052 Package: src:bouncycastle; Maintainer for src:bouncycastle is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 18 Dec 2020 20:36:02 UTC Severity: grave Tags: patch, sec ...
Arch Linux Issues:
An issue was discovered in Legion of the Bouncy Castle BC Java 165 and 166 The OpenBSDBCryptcheckPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different ...
Hitachi Security Advisories: Multiple Vulnerabilities in Hitachi Ops Center Common Services
Multiple vulnerabilities have been found in Hitachi Ops Center Common Services CVE-2020-1695, CVE-2020-1723, CVE-2020-1725, CVE-2020-10770, CVE-2020-14302, CVE-2020-15522, CVE-2020-25711, CVE-2020-27838, CVE-2020-28052, CVE-2020-28491, CVE-2021-3424, CVE-2021-3712, CVE-2021-20195, CVE-2021-20202, CVE-2021-20222, CVE-2021-20262, CVE-2021-21290, C ...

Github Repositories

https://github.com/madstap/bouncy-castle-generative-test-poc

A generative test that would've caught CVE-2020-28052

Generative testing bouncy castle vulnerability (CVE-2020-28052) Running the tests Test the vulnerable versions (defaults to 166) $ clojure -M:test $ clojure -M:test:v165 Test the versions before the vuln and after the patch (167) $ clojure -M:test:v164 $ clojure -M:test:patched Links www

https://github.com/kurenaif/CVE-2020-28052_PoC

githubcom/bcgit/bc-java/wiki/CVE-2020-28052 /gradlew run /gradlew build --refresh-dependencies

References

NVD-CWE-Otherhttps://github.com/bcgit/bc-java/wiki/CVE-2020-28052https://www.bouncycastle.org/releasenotes.htmlhttps://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/https://www.oracle.com/security-alerts/cpuApr2021.htmlhttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuoct2021.htmlhttps://www.oracle.com/security-alerts/cpujan2022.htmlhttps://www.oracle.com/security-alerts/cpuapr2022.htmlhttps://www.oracle.com/security-alerts/cpujul2022.htmlhttps://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6ffa6eff50d2a2d%40%3Cjira.kafka.apache.org%3Ehttps://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53%40%3Ccommits.pulsar.apache.org%3Ehttps://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3Ehttps://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab6451213e69e43734eadc%40%3Ccommits.pulsar.apache.org%3Ehttps://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3Ehttps://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402%40%3Cissues.karaf.apache.org%3Ehttps://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c%40%3Cissues.karaf.apache.org%3Ehttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=977683https://nvd.nist.govhttps://github.com/madstap/bouncy-castle-generative-test-pochttps://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/hitachi-sec-2021-134/index.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-2907hardcodedinjectCVE-2024-20359CVE-2024-2467CVE-2024-4077CVE-2024-22391cameraCVE-2024-20353
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook