Bouncy Castle crypto authentication bypass vulnerability revealed
https://www.bleepingcomputer.com/news/security/bouncy-castle-crypto-authentication-bypass-vulnerability-revealed/ [www.bleepingcomputer.com]
2020-12-20 01:19
That is, the Bcrypt.doCheckPassword() function responsible for performing a byte-by-byte password hash match has an erroneous logic in place.
“The code checks for an index of characters from 0 to 59 inclusive, rather than checking that characters at positions from 0 to 59 match,” reads the report published by Synopsys.
https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/