CVE-2020-28052
HIGHCVSS 8.1/10EPSS 7.14%
Last modified
CVE-2020-28052 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.. EPSS estimates a 7.14% chance of exploitation in the next 30 days.
Description
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
Metrics
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Bouncycastle | Bc-Java | 1.65 |
| Bouncycastle | Bc-Java | 1.66 |
| Apache | Karaf | 4.3.2 |
| Oracle | Banking Corporate Lending Process Management | 14.2.0 |
| Oracle | Banking Corporate Lending Process Management | 14.3.0 |
| Oracle | Banking Corporate Lending Process Management | 14.5.0 |
| Oracle | Banking Credit Facilities Process Management | 14.2.0 |
| Oracle | Banking Credit Facilities Process Management | 14.3.0 |
| Oracle | Banking Credit Facilities Process Management | 14.5.0 |
| Oracle | Banking Extensibility Workbench | 14.2.0 |
| Oracle | Banking Extensibility Workbench | 14.3.0 |
| Oracle | Banking Extensibility Workbench | 14.5.0 |
| Oracle | Banking Supply Chain Finance | 14.2.0 |
| Oracle | Banking Supply Chain Finance | 14.3.0 |
| Oracle | Banking Supply Chain Finance | 14.5.0 |
| Oracle | Banking Virtual Account Management | 14.2.0 |
| Oracle | Banking Virtual Account Management | 14.3.0 |
| Oracle | Banking Virtual Account Management | 14.5.0 |
| Oracle | Blockchain Platform | < 21.1.2 |
| Oracle | Commerce Guided Search | 11.3.2 |
| Oracle | Communications Application Session Controller | 3.9m0p3 |
| Oracle | Communications Cloud Native Core Network Slice Selection Function | 1.2.1 |
| Oracle | Communications Convergence | 3.0.2.2.0 |
| Oracle | Communications Pricing Design Center | 12.0.0.3.0 |
| Oracle | Communications Session Report Manager | >= 8.0.0, <= 8.2.4.0 |
| Oracle | Communications Session Route Manager | >= 8.2.0, <= 8.2.4 |
| Oracle | Jd Edwards Enterpriseone Tools | <= 9.2.5.3 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.56 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.57 |
| Oracle | Peoplesoft Enterprise Peopletools | 8.58 |
| Oracle | Utilities Framework | 4.3.0.6.0 |
| Oracle | Utilities Framework | 4.4.0.0.0 |
| Oracle | Utilities Framework | 4.4.0.2.0 |
| Oracle | Utilities Framework | 4.4.0.3.0 |
| Oracle | Webcenter Portal | 11.1.1.9.0 |
| Oracle | Webcenter Portal | 12.2.1.3.0 |
| Oracle | Webcenter Portal | 12.2.1.4.0 |
| Oracle | Communications Messaging Server | 8.0.2 |
| Oracle | Communications Messaging Server | 8.1 |
References
- https://github.com/bcgit/bc-java/wiki/CVE-2020-28052Mitigation, Patch, Third Party Advisory
- https://www.bouncycastle.org/releasenotes.htmlRelease Notes, Vendor Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/Exploit, Third Party Advisory
- https://github.com/bcgit/bc-java/wiki/CVE-2020-28052Mitigation, Patch, Third Party Advisory
- https://www.bouncycastle.org/releasenotes.htmlRelease Notes, Vendor Advisory
- https://www.oracle.com//security-alerts/cpujul2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuApr2021.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujan2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatch, Third Party Advisory
- https://www.oracle.com/security-alerts/cpuoct2021.htmlPatch, Third Party Advisory
- https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/Exploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2020-28052?
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.
How severe is CVE-2020-28052?
CVE-2020-28052 has a CVSS score of 8.1/10 (HIGH severity). The EPSS model estimates a 7.14% probability of exploitation in the next 30 days.
How do I fix CVE-2020-28052?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2020-28052?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST