CVE-2020-28052

bouncycastle: password bypass in OpenBSDBCrypt.checkPassword utility possible

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

Se detectó un problema en Legion of the Bouncy Castle BC Java versiones 1.65 y 1.66. El método de la utilidad OpenBSDBCrypt.checkPassword comparó datos incorrectos al comprobar la contraseña, permitiendo a unas contraseñas incorrectas indicar que coinciden con otras previamente en hash que eran diferentes

A flaw was found in bouncycastle. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-11-02 CVE Reserved
2020-12-18 CVE Published
2024-08-04 CVE Updated
2024-08-04 First Exploit
2024-11-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-287: Improper Authentication

CAPEC

References (28)

URL	Tag	Source
https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53%40%3Ccommits.pulsar.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b%40%3Cissues.karaf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab6451213e69e43734eadc%40%3Ccommits.pulsar.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc%40%3Cissues.karaf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94%40%3Cissues.karaf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c%40%3Cissues.karaf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21%40%3Cissues.karaf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31%40%3Cissues.karaf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6ffa6eff50d2a2d%40%3Cjira.kafka.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402%40%3Cissues.karaf.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2%40%3Cissues.karaf.apache.org%3E	Mailing List

URL	Date	SRC
https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle	2024-08-04

URL	Date	SRC
https://github.com/bcgit/bc-java/wiki/CVE-2020-28052	2023-11-07
https://www.oracle.com//security-alerts/cpujul2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuApr2021.html	2023-11-07
https://www.oracle.com/security-alerts/cpuapr2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpujan2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpujul2022.html	2023-11-07
https://www.oracle.com/security-alerts/cpuoct2021.html	2023-11-07

URL	Date	SRC
https://www.bouncycastle.org/releasenotes.html	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-28052	2021-11-23
https://bugzilla.redhat.com/show_bug.cgi?id=1912881	2021-11-23

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Bouncycastle Search vendor "Bouncycastle"		Legion-of-the-bouncy-castle-java-crytography-api Search vendor "Bouncycastle" for product "Legion-of-the-bouncy-castle-java-crytography-api"				1.65 Search vendor "Bouncycastle" for product "Legion-of-the-bouncy-castle-java-crytography-api" and version "1.65"		-		Affected
Bouncycastle Search vendor "Bouncycastle"		Legion-of-the-bouncy-castle-java-crytography-api Search vendor "Bouncycastle" for product "Legion-of-the-bouncy-castle-java-crytography-api"				1.66 Search vendor "Bouncycastle" for product "Legion-of-the-bouncy-castle-java-crytography-api" and version "1.66"		-		Affected
Apache Search vendor "Apache"		Karaf Search vendor "Apache" for product "Karaf"				4.3.2 Search vendor "Apache" for product "Karaf" and version "4.3.2"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.2.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.3.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Corporate Lending Process Management Search vendor "Oracle" for product "Banking Corporate Lending Process Management"				14.5.0 Search vendor "Oracle" for product "Banking Corporate Lending Process Management" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.2.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.3.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Credit Facilities Process Management Search vendor "Oracle" for product "Banking Credit Facilities Process Management"				14.5.0 Search vendor "Oracle" for product "Banking Credit Facilities Process Management" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Extensibility Workbench Search vendor "Oracle" for product "Banking Extensibility Workbench"				14.2.0 Search vendor "Oracle" for product "Banking Extensibility Workbench" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Extensibility Workbench Search vendor "Oracle" for product "Banking Extensibility Workbench"				14.3.0 Search vendor "Oracle" for product "Banking Extensibility Workbench" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Extensibility Workbench Search vendor "Oracle" for product "Banking Extensibility Workbench"				14.5.0 Search vendor "Oracle" for product "Banking Extensibility Workbench" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance"				14.2.0 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance"				14.3.0 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Supply Chain Finance Search vendor "Oracle" for product "Banking Supply Chain Finance"				14.5.0 Search vendor "Oracle" for product "Banking Supply Chain Finance" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.2.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.2.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.3.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.3.0"		-		Affected
Oracle Search vendor "Oracle"		Banking Virtual Account Management Search vendor "Oracle" for product "Banking Virtual Account Management"				14.5.0 Search vendor "Oracle" for product "Banking Virtual Account Management" and version "14.5.0"		-		Affected
Oracle Search vendor "Oracle"		Blockchain Platform Search vendor "Oracle" for product "Blockchain Platform"				< 21.1.2 Search vendor "Oracle" for product "Blockchain Platform" and version " < 21.1.2"		-		Affected
Oracle Search vendor "Oracle"		Commerce Guided Search Search vendor "Oracle" for product "Commerce Guided Search"				11.3.2 Search vendor "Oracle" for product "Commerce Guided Search" and version "11.3.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Application Session Controller Search vendor "Oracle" for product "Communications Application Session Controller"				3.9m0p3 Search vendor "Oracle" for product "Communications Application Session Controller" and version "3.9m0p3"		-		Affected
Oracle Search vendor "Oracle"		Communications Cloud Native Core Network Slice Selection Function Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function"				1.2.1 Search vendor "Oracle" for product "Communications Cloud Native Core Network Slice Selection Function" and version "1.2.1"		-		Affected
Oracle Search vendor "Oracle"		Communications Convergence Search vendor "Oracle" for product "Communications Convergence"				3.0.2.2.0 Search vendor "Oracle" for product "Communications Convergence" and version "3.0.2.2.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Pricing Design Center Search vendor "Oracle" for product "Communications Pricing Design Center"				12.0.0.3.0 Search vendor "Oracle" for product "Communications Pricing Design Center" and version "12.0.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Report Manager Search vendor "Oracle" for product "Communications Session Report Manager"				>= 8.0.0 <= 8.2.4.0 Search vendor "Oracle" for product "Communications Session Report Manager" and version " >= 8.0.0 <= 8.2.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Session Route Manager Search vendor "Oracle" for product "Communications Session Route Manager"				>= 8.2.0 <= 8.2.4 Search vendor "Oracle" for product "Communications Session Route Manager" and version " >= 8.2.0 <= 8.2.4"		-		Affected
Oracle Search vendor "Oracle"		Jd Edwards Enterpriseone Tools Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools"				<= 9.2.5.3 Search vendor "Oracle" for product "Jd Edwards Enterpriseone Tools" and version " <= 9.2.5.3"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.56 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.56"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.57 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.57"		-		Affected
Oracle Search vendor "Oracle"		Peoplesoft Enterprise Peopletools Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools"				8.58 Search vendor "Oracle" for product "Peoplesoft Enterprise Peopletools" and version "8.58"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.3.0.6.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.3.0.6.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.0.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.0.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.2.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.2.0"		-		Affected
Oracle Search vendor "Oracle"		Utilities Framework Search vendor "Oracle" for product "Utilities Framework"				4.4.0.3.0 Search vendor "Oracle" for product "Utilities Framework" and version "4.4.0.3.0"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal"				11.1.1.9.0 Search vendor "Oracle" for product "Webcenter Portal" and version "11.1.1.9.0"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal"				12.2.1.3.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.3.0"		-		Affected
Oracle Search vendor "Oracle"		Webcenter Portal Search vendor "Oracle" for product "Webcenter Portal"				12.2.1.4.0 Search vendor "Oracle" for product "Webcenter Portal" and version "12.2.1.4.0"		-		Affected
Oracle Search vendor "Oracle"		Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server"				8.0.2 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.0.2"		-		Affected
Oracle Search vendor "Oracle"		Communications Messaging Server Search vendor "Oracle" for product "Communications Messaging Server"				8.1 Search vendor "Oracle" for product "Communications Messaging Server" and version "8.1"		-		Affected