CVE-2020-8929

A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.

CVSS v3 5.3 MEDIUM
CVSS v2.0 5.0 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899	Patch Third Party Advisory
https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:tink:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-10-19 13:15

Updated : 2020-10-29 22:16

NVD link : CVE-2020-8929

Mitre link : CVE-2020-8929

CVE.ORG link : CVE-2020-8929

JSON object : View

Products Affected

google

tink

CWE

NVD-CWE-Other CWE-176

Improper Handling of Unicode Encoding

{"id": "CVE-2020-8929", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2020-10-19T13:15:13.437", "references": [{"url": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899", "tags": ["Patch", "Third Party Advisory"], "source": "cve-coordination@google.com"}, {"url": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r", "tags": ["Patch", "Third Party Advisory"], "source": "cve-coordination@google.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-176"}]}], "descriptions": [{"lang": "en", "value": "A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext."}, {"lang": "es", "value": "Un manejo inapropiado de caracteres Unicode no v\u00e1lidos en la implementaci\u00f3n de Java Tink versiones anteriores a 1.5, permite a un atacante cambiar la parte del ID de un texto cifrado, lo que resulta en la creaci\u00f3n de un segundo texto cifrado que puede descifrarse en el mismo texto plano. Esto puede ser un problema con el cifrado AEAD determinista con una sola clave y depender de un \u00fanico texto cifrado por texto plano"}], "lastModified": "2020-10-29T22:16:48.257", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:tink:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72E3E34A-E2CF-43CE-9D67-0E6ED1BC4EE3", "versionEndExcluding": "1.5"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}