CVE-2020-28052

high-risk

Published 2020-12-18

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

Do I need to act?

4.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / HIGH complexity

Affected Products (20)

Bc-Java

Karaf

Banking Corporate Lending Process Management

Banking Credit Facilities Process Management

Banking Extensibility Workbench

Banking Supply Chain Finance

Banking Virtual Account Management

Blockchain Platform

Commerce Guided Search

Affected Vendors

Apache Oracle Bouncycastle

References (52)

Mitigation https://github.com/bcgit/bc-java/wiki/CVE-2020-28052

https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c2520...

https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b1...

https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099...

https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e3...

https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdf...

https://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab645121...

https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907b...

https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf3...

https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b...

https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6...

https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87...

https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb600869...

https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94...

https://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6...

https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937...

https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32...

https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb5584...

Release Notes https://www.bouncycastle.org/releasenotes.html

Patch https://www.oracle.com//security-alerts/cpujul2021.html

and 32 more references

/ 100

high-risk

Severity 24/34 · High

Exploitability 7/34 · Low

Exposure 24/34 · High