CVE-2020-28052 Vulnerability Analysis & Exploit Details

CVE-2020-28052 Vulnerability Summary

CVE-2020-28052: An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different.

Exploit Prediction Scoring System (EPSS)

The EPSS score estimates the probability that this vulnerability will be exploited in the near future.

EPSS Score: 1.67% (probability of exploit)

EPSS Percentile: 87.7% (lower percentile = lower relative risk)
This vulnerability is less risky than approximately 12.299999999999997% of others.

CVE-2020-28052 References

External References

• https://github.com/bcgit/bc-java/wiki/CVE-2020-28052
• https://lists.apache.org/thread.html/r167dbc42ef7c59802c2ca1ac14735ef9cf687c25208229993d6206fe%40%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r175f5a25d100dbe2b1bd3459b3ce882a84c3ff91b120ed4ff2d57b53%40%3Ccommits.pulsar.apache.org%3E
• https://lists.apache.org/thread.html/r25d53acd06f29244b8a103781b0339c5e7efee9099a4d52f0c230e4a%40%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/r2ddabd06d94b60cfb0141e4abb23201c628ab925e30742f61a04d013%40%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r30a139c165b3da6e0d5536434ab1550534011b1fdfcd2f5d95892c5b%40%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r37d332c0bf772f4982d1fdeeb2f88dd71dab6451213e69e43734eadc%40%3Ccommits.pulsar.apache.org%3E
• https://lists.apache.org/thread.html/r4e1619cfefcd031fac62064a3858f5c9229eef907bd5d8ef14c594fc%40%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r77af3ac7c3bfbd5454546e13faf7aec21d627bdcf36c9ca240436b94%40%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3E
• https://lists.apache.org/thread.html/r954d80fd18e9dafef6e813963eb7e08c228151c2b6268ecd63b35d1f%40%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/rc9e441c1576bdc4375d32526d5cf457226928e9c87b9f54ded26271c%40%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/rcd37d9214b08067a2e8f2b5b4fd123a1f8cb6008698d11ef44028c21%40%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/rdcbad6d8ce72c79827ed8c635f9a62dd919bb21c94a0b64cab2efc31%40%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/rddd2237b8636a48d573869006ee809262525efb2b6ffa6eff50d2a2d%40%3Cjira.kafka.apache.org%3E
• https://lists.apache.org/thread.html/rdfd2901b8b697a3f6e2c9c6ecc688fd90d7f881937affb5144d61d6e%40%3Ccommits.druid.apache.org%3E
• https://lists.apache.org/thread.html/rf9abfc0223747a56694825c050cc6b66627a293a32ea926b3de22402%40%3Cissues.karaf.apache.org%3E
• https://lists.apache.org/thread.html/rfc0db1f3c375087e69a239f9284ded72d04fbb55849eadde58fa9dc2%40%3Cissues.karaf.apache.org%3E
• https://www.bouncycastle.org/releasenotes.html
• https://www.oracle.com//security-alerts/cpujul2021.html
• https://www.oracle.com/security-alerts/cpuApr2021.html
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujan2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.oracle.com/security-alerts/cpuoct2021.html
• https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/

CWE Common Weakness Enumeration

NVD-CWE-Other

Vulnerable Configurations

• cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.65:*:*:*:*:*:*:*
  cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.65:*:*:*:*:*:*:*
• cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.66:*:*:*:*:*:*:*
  cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle-java-crytography-api:1.66:*:*:*:*:*:*:*
• cpe:2.3:a:apache:karaf:4.3.2:*:*:*:*:*:*:*
  cpe:2.3:a:apache:karaf:4.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_corporate_lending_process_management:14.5.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_credit_facilities_process_management:14.5.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_extensibility_workbench:14.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_extensibility_workbench:14.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_extensibility_workbench:14.5.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_supply_chain_finance:14.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_supply_chain_finance:14.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_supply_chain_finance:14.5.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_virtual_account_management:14.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_virtual_account_management:14.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:banking_virtual_account_management:14.5.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:blockchain_platform:-:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:blockchain_platform:-:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p3:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p3:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_report_manager:8.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_report_manager:8.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_report_manager:8.0.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_report_manager:8.0.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_report_manager:8.1.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_report_manager:8.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_report_manager:8.1.1:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_report_manager:8.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_report_manager:8.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_report_manager:8.2.2:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_report_manager:8.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_report_manager:8.2.2.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_report_manager:8.2.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_report_manager:8.2.4.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_report_manager:8.2.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_route_manager:8.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_route_manager:8.2.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_route_manager:8.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_route_manager:8.2.2:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_route_manager:8.2.2.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_route_manager:8.2.2.1:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:communications_session_route_manager:8.2.4:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:communications_session_route_manager:8.2.4:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:-:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:-:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:4.0.1.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:4.0.1.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1.5:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.1.5:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.3:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.3:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:utilities_framework:4.3.0.6.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:webcenter_portal:11.1.1.9.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*
• cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
  cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*
• cpe:2.3:o:oracle:communications_messaging_server:8.0.2:*:*:*:*:*:*:*
  cpe:2.3:o:oracle:communications_messaging_server:8.0.2:*:*:*:*:*:*:*
• cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*
  cpe:2.3:o:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*

Other 5 Recently Published CVEs Vulnerabilities

• CVE-2025-2129 – A vulnerability was found in Mage AI 0.9.75. It has been classified as problematic. This affects an unknown part. The manipulation leads to insecur...
• CVE-2025-2127 – A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla. It has been classified as problematic. Affected is an unknown function of th...
• CVE-2025-2126 – A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla and classified as critical. This issue affects some unknown processing of the...
• CVE-2025-2125 – A vulnerability has been found in Control iD RH iD 25.2.25.0 and classified as problematic. This vulnerability affects unknown code of the file /v2...
• CVE-2025-2124 – A vulnerability, which was classified as problematic, was found in Control iD RH iD 25.2.25.0. This affects an unknown part of the file /v2/custome...