Vulnerability: CVE-2020-8929

A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.


https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899
https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899
https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r
https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8929


It's possible to leave a comment as registered users to the site, accessing through social, wordpress account or as anonymous users. If you want to leave a comment as an anonymous user you will be notified by email of a possible response only if you enter the email address (optional). The insertion of any data in the comment fields is totally optional. Whoever decides to insert any data accepts the treatment of these last ones for the inherent purposes of the service that is the answer to the comment and the strictly necessary communications.


Leave a Reply