Vulnerabilities > CVE-2020-8929 - Unspecified vulnerability in Google Tink

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

NONE

network

low complexity

google

NVD

Published: 2020-10-19

Updated: 2020-10-29

Summary

A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.

Vulnerable Configurations

Part	Description	Count
Application	Google Google Tink 1.0.0 Google Tink 1.1.0 Google Tink 1.1.1 Google Tink 1.2.0 Google Tink 1.2.1 Google Tink 1.2.2 Google Tink 1.3.0 Google Tink 1.4.0	17

References

https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r
https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899