CVE 2020 28052: Bouncy Castle vulnerability

search cancel

CVE 2020 28052: Bouncy Castle vulnerability

book

Article ID: 208455

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

A scan has brought up a vulnerability. The bouncycastle library is affected, contained in com.wily.introscope.em.client14.jar.

Details from scanning tool:

Vulnerability Id:

CVE-2020-28052

Description:

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

References:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28052

https://github.com/bcgit/bc-java/wiki/CVE-2020-28052

https://www.bouncycastle.org/releasenotes.html

https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/

Filename:

bcprov-jdk15on.jar

Origin:

Dependency contains vulnerable code

Programming constructs of the change list of the OSS patch

Repository:

https://github.com/bcgit/bc-java/