CVE-2020-7226

Published: Jan 24, 2020Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.

Affected (7)

Products: Vt: Cryptacular · Oracle: Communications Services Gatekeeper, Webcenter Sites, Weblogic Server

1 product

3 products

Communications Services Gatekeeper

Webcenter Sites

Weblogic Server

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Vt Cryptacular	Before 1.1.4
Vt Cryptacular	From 1.2.0 to 1.2.4

Configuration B

5 vulnerable

Vulnerable Software	Affected Versions
Oracle Communications Services Gatekeeper	Version 7.0
Oracle Webcenter Sites	Version 12.2.1.3.0
Oracle Webcenter Sites	Version 12.2.1.4.0
Oracle Weblogic Server	Version 12.2.1.4.0
Oracle Weblogic Server	Version 14.1.1.0.0

Related CWEs

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

References (38)

https://github.com/apereo/cas/commit/8810f2b6c71d73341d4dde6b09a18eb46cfd6d45

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/apereo/cas/commit/93b1c3e9d90e36a19d0fa0f6efb863c6f0235e75

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/apereo/cas/commit/a042808d6adbbf44753d52c55cac5f533e24101f

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/apereo/cas/pull/4685

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/vt-middleware/cryptacular/blob/fafccd07ab1214e3588a35afe3c361519129605f/src/main/java/org/cryptacular/CiphertextHeader.java#L153

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/vt-middleware/cryptacular/blob/master/src/main/java/org/cryptacular/CiphertextHeader.java#L153

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/vt-middleware/cryptacular/issues/52

Source: cve@mitre.org

ExploitThird Party Advisory

https://lists.apache.org/thread.html/r0847c7eb78c8f9e87d5b841fbd5da52b2ad4b4345e04b51c30621d88%40%3Ccommits.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r209de85beae4d257d27fc577e3a3e97039bdb4c2dc6f4a8e5a5a5811%40%3Ccommits.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r2237a27040b57adc2fcc5570bd530ad2038e67fcb2a3ce65283d3143%40%3Ccommits.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r380781f5b489cb3c818536cd3b3757e806bfe0bca188591e0051ac03%40%3Ccommits.ws.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r4a62133ad01d5f963755021027a4cce23f76b8674a13860d2978c7c8%40%3Ccommits.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/r77c48cd851f60833df9a9c9c31f12243508e15d1b2a0961066d44fc6%40%3Ccommits.tomee.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rc36b75cabb4d700b48035d15ad8b8c2712bb32123572a1bdaec2510a%40%3Cdev.ws.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/re04e4f8f0d095387fb6b0ff9016a0af8c93f42e1de93b09298bfa547%40%3Ccommits.ws.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/re7f46c4cc29a4616e0aa669c84a0eb34832e83a8eef05189e2e59b44%40%3Cdev.ws.apache.org%3E

Source: cve@mitre.org

https://lists.apache.org/thread.html/rfa4647c58e375996e62a9094bffff6dc350ec311ba955b430e738945%40%3Cdev.ws.apache.org%3E

Source: cve@mitre.org

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: cve@mitre.org

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/apereo/cas/commit/8810f2b6c71d73341d4dde6b09a18eb46cfd6d45

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/apereo/cas/commit/93b1c3e9d90e36a19d0fa0f6efb863c6f0235e75

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/apereo/cas/commit/a042808d6adbbf44753d52c55cac5f533e24101f

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/apereo/cas/pull/4685

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/vt-middleware/cryptacular/blob/fafccd07ab1214e3588a35afe3c361519129605f/src/main/java/org/cryptacular/CiphertextHeader.java#L153

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/vt-middleware/cryptacular/blob/master/src/main/java/org/cryptacular/CiphertextHeader.java#L153

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/vt-middleware/cryptacular/issues/52

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://lists.apache.org/thread.html/r0847c7eb78c8f9e87d5b841fbd5da52b2ad4b4345e04b51c30621d88%40%3Ccommits.tomee.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r209de85beae4d257d27fc577e3a3e97039bdb4c2dc6f4a8e5a5a5811%40%3Ccommits.tomee.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r2237a27040b57adc2fcc5570bd530ad2038e67fcb2a3ce65283d3143%40%3Ccommits.tomee.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r380781f5b489cb3c818536cd3b3757e806bfe0bca188591e0051ac03%40%3Ccommits.ws.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r4a62133ad01d5f963755021027a4cce23f76b8674a13860d2978c7c8%40%3Ccommits.tomee.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/r77c48cd851f60833df9a9c9c31f12243508e15d1b2a0961066d44fc6%40%3Ccommits.tomee.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rc36b75cabb4d700b48035d15ad8b8c2712bb32123572a1bdaec2510a%40%3Cdev.ws.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/re04e4f8f0d095387fb6b0ff9016a0af8c93f42e1de93b09298bfa547%40%3Ccommits.ws.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/re7f46c4cc29a4616e0aa669c84a0eb34832e83a8eef05189e2e59b44%40%3Cdev.ws.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.apache.org/thread.html/rfa4647c58e375996e62a9094bffff6dc350ec311ba955b430e738945%40%3Cdev.ws.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://www.oracle.com/security-alerts/cpuoct2021.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.