Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTczeHYtdzVncC1mcnho
Logic error in Legion of the Bouncy Castle BC Java
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
Permalink: https://github.com/advisories/GHSA-73xv-w5gp-frxhJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTczeHYtdzVncC1mcnho
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago
CVSS Score: 8.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.0167
EPSS Percentile: 0.87323
Identifiers: GHSA-73xv-w5gp-frxh, CVE-2020-28052
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-28052
- https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219
- https://github.com/bcgit/bc-java/wiki/CVE-2020-28052
- https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab6451213e69e43734eadc@%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f@%3Ccommits.druid.apache.org%3E
- https://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6ffa6eff50d2a2d@%3Cjira.kafka.apache.org%3E
- https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e@%3Ccommits.druid.apache.org%3E
- https://www.bouncycastle.org/releasenotes.html
- https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
- https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402@%3Cissues.karaf.apache.org%3E
- https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2@%3Cissues.karaf.apache.org%3E
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://github.com/advisories/GHSA-73xv-w5gp-frxh
Blast Radius: 34.6
Affected Packages
maven:org.bouncycastle:bcprov-ext-jdk16
Dependent packages: 16Dependent repositories: 147
Downloads:
Affected Version Ranges: >= 1.65, < 1.67
Fixed in: 1.67
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk16
Dependent packages: 563Dependent repositories: 6,549
Downloads:
Affected Version Ranges: >= 1.65, < 1.67
Fixed in: 1.67
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk14
Dependent packages: 33Dependent repositories: 201
Downloads:
Affected Version Ranges: >= 1.65, < 1.67
Fixed in: 1.67
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-ext-jdk15on
Dependent packages: 261Dependent repositories: 1,160
Downloads:
Affected Version Ranges: >= 1.65, < 1.67
Fixed in: 1.67
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk15on
Dependent packages: 3,304Dependent repositories: 18,945
Downloads:
Affected Version Ranges: >= 1.65, < 1.67
Fixed in: 1.67
All affected versions: 1.65.1
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk15
Dependent packages: 104Dependent repositories: 985
Downloads:
Affected Version Ranges: >= 1.65, < 1.67
Fixed in: 1.67
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk15to18
Dependent packages: 187Dependent repositories: 341
Downloads:
Affected Version Ranges: >= 1.65, < 1.67
Fixed in: 1.67
All affected versions:
All unaffected versions: 1.78.1