Bouncy Castle fixes cryptography API authentication bypass flaw

2020-12-17 15:26

A severe authentication bypass vulnerability has been reported in Bouncy Castle, a popular open-source cryptography library.

The.NET version of Bouncy Castle alone has been downloaded over 16,000,000 times, speaking to the seriousness of vulnerabilities in Bouncy Castle, a library relied on by developers of mission-critical applications.

This week, two researchers Matti Varanka and Tero Rontti from Synopsys Cybersecurity Research Center have disclosed an authentication bypass vulnerability in Bouncy Castle.

The flaw, tracked as CVE-2020-28052, exists in the OpenBSDBcrypt class of Bouncy Castle which implements the Bcrypt password hashing algorithm.

Successful exploitation of the flaw means, an attacker could brute-force the password for any user account, including the administrator's, should an application's hash-based password checks be using Bouncy Castle.

News URL

https://www.bleepingcomputer.com/news/security/bouncy-castle-fixes-cryptography-api-authentication-bypass-flaw/

#API #authentication #bypass #cryptography #CVE-2020-28052

Related Vulnerability

DATE	CVE	VULNERABILITY TITLE	RISK
2020-12-18	CVE-2020-28052	An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. network high complexity bouncycastle apache oracle	8.1