CVE-2020-8929 MEDIUM

CVE-2020-8929: Ciphertext integrity weakness in Tink

Vendor Google Llc
Product Tink
Weakness CWE-176
Published October 19, 2020
Last update August 4, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.

Key dates

02Disclosure timeline

October 19, 2020 CVE published
August 4, 2024 Record updated