Security News > 2020 > December > Bouncy Castle fixes crypto API authentication bypass flaw
![Bouncy Castle fixes crypto API authentication bypass flaw](/static/build/img/news/alt/ransomware-stats-medium.jpg)
A severe authentication bypass vulnerability has been reported in Bouncy Castle, a popular open-source cryptography library.
The.NET version of Bouncy Castle alone has been downloaded over 16,000,000 times, speaking to the seriousness of vulnerabilities in Bouncy Castle, a library relied on by developers of mission-critical applications.
This week, two researchers Matti Varanka and Tero Rontti from Synopsys Cybersecurity Research Center have disclosed an authentication bypass vulnerability in Bouncy Castle.
The flaw, tracked as CVE-2020-28052, exists in the OpenBSDBcrypt class of Bouncy Castle which implements the Bcrypt password hashing algorithm.
Successful exploitation of the flaw means, an attacker could brute-force the password for any user account, including the administrator's, should an application's hash-based password checks be using Bouncy Castle.
News URL
Related news
- Cox fixed an API auth bypass exposing millions of modems to attacks (source)
- ASUS warns of critical remote authentication bypass on 7 routers (source)
- ASUS Patches Critical Authentication Bypass Flaw in Multiple Router Models (source)
- Docker fixes critical 5-year old authentication bypass flaw (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-12-18 | CVE-2020-28052 | An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. | 8.1 |