CVE-2020-8929: Incorrect Calculation
(updated )
A mis-handling of invalid unicode characters in the Java implementation of Tink allows an attacker to change the ID
part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD
with a single key, and rely on a unique ciphertext-per-plaintext.
References
Detect and mitigate CVE-2020-8929 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →