-
Notifications
You must be signed in to change notification settings - Fork 1.1k
CVE 2020 28052
Issue affecting: BC 1.65 and BC 1.66.
Fixed versions: BC 1.67 or later
Issue: CWE-1025: Comparison Using Wrong Factors
A comparison error in OpenBSDBCrypt.checkPassword() can result in an incorrect password been accepted as a valid one. Do not use OpenBSDBCrypt.checkPassword() in either BC 1.65 or BC 1.66. The bug is quite insidious as it can create the impression the code is working. It is not and any usage of OpenBSDBCrypt.checkPassword() for BC 1.65 or BC 1.66 needs to be removed.
See commit https://github.com/bcgit/bc-java/commit/97578f9b7ed277e6ecb58834e85e3d18385a4219 for the changes.
Workaround Details
If you have to use either BC 1.65 or BC 1.66 and you need to do password checking for OpenBSDBcrypt use the code given in the doCheckPassword() method in:
It's a static method - the code can be copied into your own utility class without issue.