Security News > 2020 > December > Bouncy Castle crypto authentication bypass vulnerability revealed

Bouncy Castle crypto authentication bypass vulnerability revealed
2020-12-17 15:26

A severe authentication bypass vulnerability has been reported in Bouncy Castle, a popular open-source cryptography library.

The.NET version of Bouncy Castle alone has been downloaded over 16,000,000 times, speaking to the seriousness of vulnerabilities in Bouncy Castle, a library relied on by developers of mission-critical applications.

This week, two researchers Matti Varanka and Tero Rontti from Synopsys Cybersecurity Research Center have disclosed an authentication bypass vulnerability in Bouncy Castle.

The flaw, tracked as CVE-2020-28052, exists in the OpenBSDBcrypt class of Bouncy Castle which implements the Bcrypt password hashing algorithm.

Successful exploitation of the flaw means, an attacker could brute-force the password for any user account, including the administrator's, should an application's hash-based password checks be using Bouncy Castle.


News URL

https://www.bleepingcomputer.com/news/security/bouncy-castle-crypto-authentication-bypass-vulnerability-revealed/

Related Vulnerability