CVE-2020-7226

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 24-01-2020 04:15

Last modified: - 12-05-2022 05:00

Total changes: - 8

Description

CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Low

Attack complexity

Network

Attack vector

High

Availability

None

Confidentiality

None

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

7.5

Base score

3.9

3.6

Exploitability score

Impact score

Verification logic

vendor=vt AND product=cryptacular AND versionStartIncluding=1.2.0 AND versionEndExcluding=1.2.4

vendor=vt AND product=cryptacular AND versionEndExcluding=1.1.4

vendor=oracle AND product=webcenter_sites AND version=12.2.1.3.0

vendor=oracle AND product=weblogic_server AND version=12.2.1.4.0

vendor=oracle AND product=webcenter_sites AND version=12.2.1.4.0

vendor=oracle AND product=weblogic_server AND version=14.1.1.0.0

vendor=oracle AND product=communications_services_gatekeeper AND version=7.0

Reference

https://github.com/vt-middleware/cryptacular/blob/master/src/main/java/org/cryptacular/CiphertextHeader.java#L153
https://github.com/vt-middleware/cryptacular/issues/52
[ws-dev] 20200219 [jira] [Created] (WSS-665) Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226-Mailing List, Third Party Advisory
[ws-commits] 20200219 [ws-wss4j] branch 2_2_x-fixes updated: WSS-665 - Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226-Mailing List, Patch, Third Party Advisory
[ws-dev] 20200219 [jira] [Resolved] (WSS-665) Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226-Mailing List, Patch, Third Party Advisory
[ws-commits] 20200219 [ws-wss4j] branch master updated: WSS-665 - Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226-Mailing List, Patch, Third Party Advisory
https://github.com/vt-middleware/cryptacular/blob/fafccd07ab1214e3588a35afe3c361519129605f/src/main/java/org/cryptacular/CiphertextHeader.java#L153
[ws-dev] 20200318 [jira] [Closed] (WSS-665) Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226-Mailing List, Third Party Advisory
[tomee-commits] 20201013 [jira] [Assigned] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability-Mailing List, Third Party Advisory
[tomee-commits] 20201013 [jira] [Created] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability-Mailing List, Third Party Advisory
[tomee-commits] 20210426 [jira] [Updated] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability-Mailing List, Third Party Advisory
[tomee-commits] 20210426 [jira] [Comment Edited] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability-Mailing List, Third Party Advisory
[tomee-commits] 20210426 [jira] [Commented] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability-Mailing List, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html
https://github.com/apereo/cas/pull/4685
https://github.com/apereo/cas/commit/93b1c3e9d90e36a19d0fa0f6efb863c6f0235e75
https://github.com/apereo/cas/commit/8810f2b6c71d73341d4dde6b09a18eb46cfd6d45
https://github.com/apereo/cas/commit/a042808d6adbbf44753d52c55cac5f533e24101f
https://www.oracle.com/security-alerts/cpuapr2022.html

Keywords

CVE-2020-7226

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2020-7226

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures