#VU49086 Comparison using wrong factors in The Bouncy Castle Crypto Package For Java - CVE-2020-28052
Published: December 18, 2020 / Updated: January 6, 2021
Vulnerability identifier: #VU49086
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2020-28052
CWE-ID: CWE-1025
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
The Bouncy Castle Crypto Package For Java
The Bouncy Castle Crypto Package For Java
Software vendor:
Legion of the Bouncy Castle Inc.
Legion of the Bouncy Castle Inc.
Description
The vulnerability allows a remote attacker to brute-force password hashes.
The vulnerability exists due to comparison error in OpenBSDBCrypt.checkPassword() function in core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java when matching passwords with hashes. A remote attacker can pass an incorrect password that will be accepted as a valid one by the library, bypass authentication process and gain unauthorized access to the application that uses vulnerable version of Bouncy Castle.
Remediation
Install updates from vendor's website.