{"containers": {"cna": {"affected": [{"platforms": ["Java"], "product": "Tink", "vendor": "Google LLC", "versions": [{"lessThan": "1.5", "status": "affected", "version": "stable", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Peter Esbensen"}], "descriptions": [{"lang": "en", "value": "A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-176", "description": "CWE-176 Improper Handling of Unicode Encoding", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-19T12:15:16", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r"}], "source": {"discovery": "EXTERNAL"}, "title": "Ciphertext integrity weakness in Tink", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@google.com", "ID": "CVE-2020-8929", "STATE": "PUBLIC", "TITLE": "Ciphertext integrity weakness in Tink"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Tink", "version": {"version_data": [{"platform": "Java", "version_affected": "<", "version_name": "stable", "version_value": "1.5"}]}}]}, "vendor_name": "Google LLC"}]}}, "credit": [{"lang": "eng", "value": "Peter Esbensen"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-176 Improper Handling of Unicode Encoding"}]}]}, "references": {"reference_data": [{"name": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899", "refsource": "CONFIRM", "url": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899"}, {"name": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r", "refsource": "CONFIRM", "url": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:12:11.052Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r"}]}]}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2020-8929", "datePublished": "2020-10-19T12:15:16", "dateReserved": "2020-02-12T00:00:00", "dateUpdated": "2024-08-04T10:12:11.052Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:tink_java:*:*:*:*:*:*:*:*", "matchCriteriaId": "79CF433A-2538-413E-B3A7-B07C4D2B9BDA", "versionEndExcluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext."}, {"lang": "es", "value": "Un manejo inapropiado de caracteres Unicode no v\u00e1lidos en la implementaci\u00f3n de Java Tink versiones anteriores a 1.5, permite a un atacante cambiar la parte del ID de un texto cifrado, lo que resulta en la creaci\u00f3n de un segundo texto cifrado que puede descifrarse en el mismo texto plano. Esto puede ser un problema con el cifrado AEAD determinista con una sola clave y depender de un \u00fanico texto cifrado por texto plano"}], "id": "CVE-2020-8929", "lastModified": "2025-06-05T14:50:15.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve-coordination@google.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-10-19T13:15:13.437", "references": [{"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899"}, {"source": "cve-coordination@google.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-176"}], "source": "cve-coordination@google.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}