CVE-2020-7226

Name of the Vulnerable Software and Affected Versions Cryptacular version 1.2.3 Cryptacular versions prior to 1.2.4

Description The issue allows attackers to trigger excessive memory allocation during a decode operation. This is because the nonce array length associated with new byte may depend on untrusted input within the header of encoded data. The problem is specifically related to the CiphertextHeader.java in Cryptacular, which is used in Apereo CAS and other products.

Recommendations For Cryptacular version 1.2.3, update to version 1.2.4 or later to resolve the issue. For Cryptacular versions prior to 1.2.4, update to version 1.2.4 or later to resolve the issue. As a temporary workaround, consider restricting the input to the CiphertextHeader.java to prevent excessive memory allocation.