Main Vulnerability Database SB2021050607

SB2021050607 - Weak password hashing in Red Hat Fuse

Published: May 6, 2021

Security Bulletin ID SB2021050607

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Comparison using wrong factors (CVE-ID: CVE-2020-28052)

The vulnerability allows a remote attacker to brute-force password hashes.

The vulnerability exists due to comparison error in OpenBSDBCrypt.checkPassword() function in core/src/main/java/org/bouncycastle/crypto/generators/OpenBSDBCrypt.java when matching passwords with hashes. A remote attacker can pass an incorrect password that will be accepted as a valid one by the library, bypass authentication process and gain unauthorized access to the application that uses vulnerable version of Bouncy Castle.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2021:1401