CVE-2020-8929

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-8929
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8929.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-8929
Aliases
Related
Published
2020-10-19T13:15:13Z
Modified
2025-10-21T05:57:29.532570Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.

References

Affected packages

Git / github.com/tink-crypto/tink

Affected ranges

Type
GIT
Repo
https://github.com/tink-crypto/tink
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
93d839a5865b9d950dffdc9d0bc99b71280a8899

Affected versions

go/integration/hcvault/v1.*

go/integration/hcvault/v1.4.0-rc1
go/integration/hcvault/v1.4.0-rc2

go/v1.*

go/v1.4.0-rc1
go/v1.4.0-rc2

v1.*

v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.2.0-rc2
v1.2.0-rc3
v1.2.0-rc4
v1.3.0-rc1
v1.3.0-rc2
v1.4.0-rc1
v1.4.0-rc2

Database specific

vanir_signatures

[
    {
        "source": "https://github.com/tink-crypto/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899",
        "target": {
            "function": "addPrimitive",
            "file": "java_src/src/main/java/com/google/crypto/tink/PrimitiveSet.java"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2020-8929-0bef705b",
        "signature_type": "Function",
        "digest": {
            "length": 715.0,
            "function_hash": "217881201261916344316553839640080936871"
        }
    },
    {
        "source": "https://github.com/tink-crypto/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899",
        "target": {
            "file": "java_src/src/main/java/com/google/crypto/tink/PrimitiveSet.java"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2020-8929-5f31f113",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "157414841065670058462330412288726568007",
                "108916698505316697896927837801069949125",
                "329953534583668519471318701801756243441",
                "213576573152777414863879008901387448313",
                "117095508662451436026999904308032369379",
                "253256134297389226440813142341947082556",
                "235237472774331919668376667751742900432",
                "166517235777786224518032432875894209912",
                "157678614999336421597063061426693421695",
                "137165361629755901251605909441366605245",
                "273248960221924926855140517766478383219",
                "188617306577646167314510855791087647903",
                "305213812347837163836313675875228833265",
                "166698426010835856215096125922411474565",
                "297583809220781884592827695125311262910",
                "241289953989506126859141392310543976193",
                "107922863496083804360076348135896354859",
                "128692932181663531956448901019848472168",
                "55947774114710356573264013802535826596",
                "142551651716694686536564144631747175878",
                "121531892295596273159651830304332866028",
                "53350761022494845887792663144414820270",
                "24683522678372212630385082067239946921"
            ]
        }
    },
    {
        "source": "https://github.com/tink-crypto/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899",
        "target": {
            "function": "testBasicFunctionality",
            "file": "java_src/src/test/java/com/google/crypto/tink/PrimitiveSetTest.java"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2020-8929-b6db4b04",
        "signature_type": "Function",
        "digest": {
            "length": 2366.0,
            "function_hash": "336480560591704285155113984453929751247"
        }
    },
    {
        "source": "https://github.com/tink-crypto/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899",
        "target": {
            "file": "java_src/src/test/java/com/google/crypto/tink/PrimitiveSetTest.java"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2020-8929-cea17d37",
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "146175358446346798436697762436011149257",
                "295942350449558665742799913355865684801",
                "211307551365374089730606137149354531355",
                "26353490931673665710809428408506110659",
                "182537772909162327202526083499477956523",
                "329953534583668519471318701801756243441",
                "126333911796798416263336896935722055939",
                "70260780078299868670536020959072281678",
                "96803705860922078313911072580373155433",
                "113396495125288665233912927029793507283",
                "234156420052173044438438639672442638471",
                "15175985646369398483260471257013460649",
                "169003393220567029982272055006592009093",
                "49125774217727985790838356054946417228",
                "177304168442040758471695821047672453602",
                "171888511372190141356176899853650975434",
                "23936496925817278157482710542947234335",
                "115690790232692471645256338558932719018",
                "75562305059812802870823955954415433234",
                "101032819747363744876388845259504663814",
                "82359856998348033683579614702664792186",
                "205422223639136502879281703786625805924",
                "155572029847699494806626563838973371838",
                "14903607018543231778895518337430911011",
                "246957667163346934343903169032503416287",
                "140314242352240142747726537608347367727",
                "315420771190081624889203641475418065417",
                "38638001576893638579214821712220064671",
                "71430218427425071246202871725195202201",
                "271517990677501793529420800353605664226",
                "322166073183876051042553613141898237198",
                "156662998931894483064305203148036766746",
                "261395711075483476186195734758232092057",
                "111142739761903615585587592610622225062",
                "44159434901570754501518201921413679241",
                "324714737432003588589138272643598322415",
                "198744038604350611120073568144765990230",
                "99995408411146038819414179650715747879",
                "75562305059812802870823955954415433234",
                "246706484195991439373335839996138797280",
                "95639478499927079270886414043639423993",
                "100076700588357950984846615938334054251",
                "71430218427425071246202871725195202201",
                "264905063397817558713430685859007133502",
                "214922383522459711199232647740461491950",
                "290145492935218893974818148391724595902",
                "47363546000523299680042878563193591294"
            ]
        }
    },
    {
        "source": "https://github.com/tink-crypto/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899",
        "target": {
            "function": "getPrimitive",
            "file": "java_src/src/main/java/com/google/crypto/tink/PrimitiveSet.java"
        },
        "deprecated": false,
        "signature_version": "v1",
        "id": "CVE-2020-8929-dc95a620",
        "signature_type": "Function",
        "digest": {
            "length": 178.0,
            "function_hash": "305755066724297118589985672762111541734"
        }
    }
]