CVE-2020-28052

Name of the Vulnerable Software and Affected Versions Legion of the Bouncy Castle BC Java versions 1.65 through 1.66

Description An issue was discovered in the OpenBSDBCrypt.checkPassword utility method, which compared incorrect data when checking the password. This allowed incorrect passwords to indicate they were matching with previously hashed ones that were different. The vulnerability can be exploited to bypass authentication, potentially giving an attacker access to user or admin accounts. It is estimated that 20% of passwords can be cracked with the first thousand attempts.

Recommendations For versions 1.65 and 1.66, update to version 1.67 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the application until the update can be applied.