Security News > 2020 > December > Bouncy Castle crypto authentication bypass vulnerability revealed
A severe authentication bypass vulnerability has been reported in Bouncy Castle, a popular open-source cryptography library.
The.NET version of Bouncy Castle alone has been downloaded over 16,000,000 times, speaking to the seriousness of vulnerabilities in Bouncy Castle, a library relied on by developers of mission-critical applications.
This week, two researchers Matti Varanka and Tero Rontti from Synopsys Cybersecurity Research Center have disclosed an authentication bypass vulnerability in Bouncy Castle.
The flaw, tracked as CVE-2020-28052, exists in the OpenBSDBcrypt class of Bouncy Castle which implements the Bcrypt password hashing algorithm.
Successful exploitation of the flaw means, an attacker could brute-force the password for any user account, including the administrator's, should an application's hash-based password checks be using Bouncy Castle.
News URL
Related news
- Juniper Session Smart Routers Vulnerability Could Let Attackers Bypass Authentication (source)
- Moxa Issues Fix for Critical Authentication Bypass Vulnerability in PT Switches (source)
- Palo Alto Networks Patches Authentication Bypass Exploit in PAN-OS Software (source)
- PAN-OS authentication bypass hole plugged, PoC is public (CVE-2025-0108) (source)
- Hackers exploit authentication bypass in Palo Alto Networks PAN-OS (source)
- GitLab patches critical authentication bypass vulnerabilities (source)
- Critical Next.js Vulnerability Allows Attackers to Bypass Middleware Authorization Checks (source)
- Critical Next.js auth bypass vulnerability opens web apps to compromise (CVE-2025-29927) (source)
- Critical Ingress NGINX Controller Vulnerability Allows RCE Without Authentication (source)
- Broadcom warns of authentication bypass in VMware Windows Tools (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-12-18 | CVE-2020-28052 | An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. | 8.1 |