GHSA-g5vf-v6wf-7w2r

Source

https://github.com/advisories/GHSA-g5vf-v6wf-7w2r

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-g5vf-v6wf-7w2r/GHSA-g5vf-v6wf-7w2r.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-g5vf-v6wf-7w2r

Aliases

Published

2020-10-16T00:51:24Z

Modified

2024-11-13T23:22:30.359134Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Ciphertext Malleability Issue in Tink Java

Details

Impact

Tink's Java version before 1.5 under some circumstances allowed attackers to change the key ID part of the ciphertext, resulting in the attacker creating a second ciphertext that will decrypt to the same plaintext. This can be a problem in particular in the case of encrypting with a deterministic AEAD with a single key, and relying on the fact that there is only a single valid ciphertext per plaintext.

No loss of confidentiality or loss of plaintext integrity occurs due to this problem, only ciphertext integrity is compromised.

Patches

The issue was fixed in this pull request.

Workarounds

The only workaround is to backport the fixing pull request.

Details

Tink uses the first five bytes of a ciphertext for a version byte and a four byte key ID. Since each key has a well defined prefix, this extends non-malleability properties (but technically not indistinguishability). However, in the Java version this prefix lookup used a hash map indexed by unicode strings instead of the byte array, which means that invalid Unicode characters would be replaced by U+FFFD by the Java API's default behavior. This means several different values for the five bytes would result in the same hash table key, which allows an attacker to exchange one invalid byte sequence for another, creating a mutated ciphertext that still decrypts (to the same plaintext).

Acknowledgements

We'd like to thank Peter Esbensen for finding this issue and raising it internally.

For more information

If you have any questions or comments about this advisory: * Open an issue in Tink

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-176",
        "CWE-327"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-10-16T00:49:43Z"
}

References

Affected packages

Maven / com.google.crypto.tink:tink

Package

Name: com.google.crypto.tink:tink; View open source insights on deps.dev
Purl: pkg:maven/com.google.crypto.tink/tink

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.0

Affected versions

1.*

1.0.0

1.1.0

1.1.1

1.2.0-rc2

1.2.0-rc3

1.2.0-rc4

1.2.0

1.2.1

1.2.2

1.3.0-rc1

1.3.0-rc2

1.3.0-rc3

1.3.0-rc4

1.3.0

1.4.0-rc1

1.4.0-rc2

1.4.0