VYPR
← All advisories
High severityNVD Advisory· Published Dec 18, 2020· Updated Aug 4, 2024

CVE-2020-28052

CVE-2020-28052

Description

An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Bouncy Castle BC Java 1.65 and 1.66 have a bug in OpenBSDBCrypt.checkPassword that compares incorrect data, allowing wrong passwords to match.

Description

The Bouncy Castle BC Java library versions 1.65 and 1.66 contain a vulnerability in the OpenBSDBCrypt.checkPassword utility method. The flaw is due to the method comparing incorrect data when verifying a password. Specifically, the code was using .indexOf(i) instead of .charAt(i) when iterating over the password string, causing the comparison to operate on invalid indices rather than the actual characters. This logic error is present in the constant-time comparison logic within the doCheckPassword function [1][4].

Exploitation

To exploit this vulnerability, an attacker does not need any special privileges or network access beyond being able to submit passwords for validation against hashed values. Because the bug causes the comparison to always evaluate incorrectly for many inputs, a wrong password may be accepted as correct. The impact is local to the application using the vulnerable library, and no authentication bypass beyond password validation is required.

Impact

An attacker can supply an incorrect password that will be incorrectly flagged as matching a previously stored hash. This effectively undermines the password verification mechanism, allowing unauthorized access to systems or data protected by the vulnerable OpenBSDBCrypt hashing. The severity is considered critical (CVSS 9.8) [1].

Mitigation

The vulnerability affects Bouncy Castle Java versions 1.65 and 1.66. Users should upgrade to version 1.67 or later, where the fix was applied by replacing .indexOf(i) with .charAt(i) in the constant-time comparison [2][3][4]. No official workarounds have been released.

References
  1. NVD - CVE-2020-28052
  2. GitHub - bcgit/bc-java: Bouncy Castle Java Distribution (Mirror)
  3. Download Bouncy Castle Java - Bouncycastle
  4. corrected constant time equals. · bcgit/bc-java@97578f9

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.bouncycastle:bcprov-jdk15to18Maven
>= 1.65, < 1.671.67
org.bouncycastle:bcprov-jdk15Maven
>= 1.65, < 1.671.67
org.bouncycastle:bcprov-jdk15onMaven
>= 1.65, < 1.671.67
org.bouncycastle:bcprov-ext-jdk15onMaven
>= 1.65, < 1.671.67
org.bouncycastle:bcprov-jdk14Maven
>= 1.65, < 1.671.67
org.bouncycastle:bcprov-jdk16Maven
>= 1.65, < 1.671.67
org.bouncycastle:bcprov-ext-jdk16Maven
>= 1.65, < 1.671.67

Affected products

9

Patches

1
97578f9b7ed2

corrected constant time equals.

https://github.com/bcgit/bc-javaDavid HookOct 27, 2020via ghsa
commit
2 files changed · +21 1
  • core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java+1 1 modified
    @@ -309,7 +309,7 @@ private static boolean doCheckPassword(
         boolean isEqual = sLength == newBcryptString.length();
         for (int i = 0; i != sLength; i++)
         {
-            isEqual &= (bcryptString.indexOf(i) == newBcryptString.indexOf(i));
+            isEqual &= (bcryptString.charAt(i) == newBcryptString.charAt(i));
         }
         return isEqual;
     }
  • core/src/test/java/org/bouncycastle/crypto/test/OpenBSDBCryptTest.java+20 0 modified
    @@ -1,5 +1,7 @@
 package org.bouncycastle.crypto.test;
 
+import java.security.SecureRandom;
+
 import org.bouncycastle.crypto.generators.OpenBSDBCrypt;
 import org.bouncycastle.util.Strings;
 import org.bouncycastle.util.test.SimpleTest;
@@ -199,6 +201,24 @@ public void performTest()
                 fail("twoBVec mismatch: " + "[" + i + "] " + password);
             }
         }
+
+
+        int costFactor = 4;
+        SecureRandom random = new SecureRandom();
+        salt = new byte[16];
+        for (int i = 0; i < 1000; i++)
+        {
+            random.nextBytes(salt);
+            final String tokenString = OpenBSDBCrypt
+                .generate("test-token".toCharArray(), salt, costFactor);
+
+            isTrue(OpenBSDBCrypt.checkPassword(tokenString, "test-token".toCharArray()));
+            isTrue(!OpenBSDBCrypt.checkPassword(tokenString, "wrong-token".toCharArray()));
+        }
     }
+
+
+
+
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

46

News mentions

0

No linked articles in our index yet.