CVE-2020-28052: Logic error in Legion of the Bouncy Castle BC Java

April 30, 2021 (updated October 21, 2021)

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

References

github.com/advisories/GHSA-73xv-w5gp-frxh
github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219
github.com/bcgit/bc-java/wiki/CVE-2020-28052
nvd.nist.gov/vuln/detail/CVE-2020-28052
www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/

Detect and mitigate CVE-2020-28052 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →