Moderate severityNVD Advisory· Published Oct 19, 2020· Updated Aug 4, 2024
Ciphertext integrity weakness in Tink
CVE-2020-8929
Description
A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.google.crypto.tink:tinkMaven | < 1.5.0 | 1.5.0 |
Affected products
2- Google LLC/Tinkv5Range: stable
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-g5vf-v6wf-7w2rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-8929ghsaADVISORY
- github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899ghsax_refsource_CONFIRMWEB
- github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2rghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/tink/PYSEC-2020-142.yamlghsaWEB
News mentions
0No linked articles in our index yet.