CVE-2020-28052

Published: Dec 18, 2020Modified: May 12, 2025

8.1

Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.2 / Impact: 5.9

Source: NVD

Description

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

Affected (39)

Products: Bouncycastle: Bc Java · Apache: Karaf · Oracle: Banking Corporate Lending Process Management, Banking Credit Facilities Process Management, Banking Extensibility Workbench, Banking Supply Chain Finance, Banking Virtual Account Management, Blockchain Platform, Commerce Guided Search, Communications Application Session Controller, Communications Cloud Native Core Network Slice Selection Function, Communications Convergence, Communications Messaging Server, Communications Pricing Design Center, Communications Session Report Manager, Communications Session Route Manager, Jd Edwards Enterpriseone Tools, Peoplesoft Enterprise Peopletools, Utilities Framework, Webcenter Portal

1 product

1 product

18 products

Banking Corporate Lending Process Management

Banking Credit Facilities Process Management

Banking Extensibility Workbench

Banking Supply Chain Finance

Banking Virtual Account Management

Blockchain Platform

Commerce Guided Search

Communications Application Session Controller

Communications Cloud Native Core Network Slice Selection Function

Communications Convergence

Communications Messaging Server

Communications Pricing Design Center

Communications Session Report Manager

Communications Session Route Manager

Jd Edwards Enterpriseone Tools

Peoplesoft Enterprise Peopletools

Utilities Framework

Webcenter Portal

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Bouncycastle Bc Java	Version 1.65
Bouncycastle Bc Java	Version 1.66

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Apache Karaf	Version 4.3.2

Configuration C

36 vulnerable

Vulnerable Software	Affected Versions
Oracle Banking Corporate Lending Process Management	Version 14.2.0
Oracle Banking Corporate Lending Process Management	Version 14.3.0
Oracle Banking Corporate Lending Process Management	Version 14.5.0
Oracle Banking Credit Facilities Process Management	Version 14.2.0
Oracle Banking Credit Facilities Process Management	Version 14.3.0
Oracle Banking Credit Facilities Process Management	Version 14.5.0
Oracle Banking Extensibility Workbench	Version 14.2.0
Oracle Banking Extensibility Workbench	Version 14.3.0
Oracle Banking Extensibility Workbench	Version 14.5.0
Oracle Banking Supply Chain Finance	Version 14.2.0
Oracle Banking Supply Chain Finance	Version 14.3.0
Oracle Banking Supply Chain Finance	Version 14.5.0
Oracle Banking Virtual Account Management	Version 14.2.0
Oracle Banking Virtual Account Management	Version 14.3.0
Oracle Banking Virtual Account Management	Version 14.5.0
Oracle Blockchain Platform	Before 21.1.2
Oracle Commerce Guided Search	Version 11.3.2
Oracle Communications Application Session Controller	Version 3.9m0p3
Oracle Communications Cloud Native Core Network Slice Selection Function	Version 1.2.1
Oracle Communications Convergence	Version 3.0.2.2.0
Oracle Communications Messaging Server	Version 8.0.2
Oracle Communications Messaging Server	Version 8.1
Oracle Communications Pricing Design Center	Version 12.0.0.3.0
Oracle Communications Session Report Manager	From 8.0.0 to 8.2.4.0
Oracle Communications Session Route Manager	From 8.2.0 to 8.2.4
Oracle Jd Edwards Enterpriseone Tools	Up to 9.2.5.3
Oracle Peoplesoft Enterprise Peopletools	Version 8.56
Oracle Peoplesoft Enterprise Peopletools	Version 8.57
Oracle Peoplesoft Enterprise Peopletools	Version 8.58
Oracle Utilities Framework	Version 4.3.0.6.0
Oracle Utilities Framework	Version 4.4.0.0.0
Oracle Utilities Framework	Version 4.4.0.2.0
Oracle Utilities Framework	Version 4.4.0.3.0
Oracle Webcenter Portal	Version 11.1.1.9.0
Oracle Webcenter Portal	Version 12.2.1.3.0
Oracle Webcenter Portal	Version 12.2.1.4.0

References (52)

https://github.com/bcgit/bc-java/wiki/CVE-2020-28052

Source: cve@mitre.org

MitigationPatchThird Party Advisory

https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53%40%3Ccommits.pulsar.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b%40%3Cissues.karaf.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab6451213e69e43734eadc%40%3Ccommits.pulsar.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc%40%3Cissues.karaf.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94%40%3Cissues.karaf.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c%40%3Cissues.karaf.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21%40%3Cissues.karaf.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31%40%3Cissues.karaf.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6ffa6eff50d2a2d%40%3Cjira.kafka.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402%40%3Cissues.karaf.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2%40%3Cissues.karaf.apache.org%3E

Source: cve@mitre.org

https://www.bouncycastle.org/releasenotes.html

Source: cve@mitre.org

Release NotesVendor Advisory

https://www.oracle.com//security-alerts/cpujul2021.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuApr2021.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujan2022.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpujul2022.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/bcgit/bc-java/wiki/CVE-2020-28052