CVE-2020-8929 - Vulnerability Details - OpenCVE

A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Google	Tink Java

Configuration 1 [-]

cpe:2.3:a:google:tink_java:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899
https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r

History

Thu, 05 Jun 2025 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Google tink Java
CPEs	cpe:2.3:a:google:tink::::::::	cpe:2.3:a:google:tink_java::::::::
Vendors & Products	Google tink	Google tink Java

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2020-10-19T12:15:16

Updated: 2024-08-04T10:12:11.052Z

Reserved: 2020-02-12T00:00:00

Link: CVE-2020-8929

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-10-19T13:15:13.437

Modified: 2025-06-05T14:50:15.710

Link: CVE-2020-8929

Redhat

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Java"], "product": "Tink", "vendor": "Google LLC", "versions": [{"lessThan": "1.5", "status": "affected", "version": "stable", "versionType": "custom"}]}], "credits": [{"lang": "en", "value": "Peter Esbensen"}], "descriptions": [{"lang": "en", "value": "A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-176", "description": "CWE-176 Improper Handling of Unicode Encoding", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-19T12:15:16", "orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r"}], "source": {"discovery": "EXTERNAL"}, "title": "Ciphertext integrity weakness in Tink", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2020-8929", "STATE": "PUBLIC", "TITLE": "Ciphertext integrity weakness in Tink"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Tink", "version": {"version_data": [{"platform": "Java", "version_affected": "<", "version_name": "stable", "version_value": "1.5"}]}}]}, "vendor_name": "Google LLC"}]}}, "credit": [{"lang": "eng", "value": "Peter Esbensen"}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-176 Improper Handling of Unicode Encoding"}]}]}, "references": {"reference_data": [{"name": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899", "refsource": "CONFIRM", "url": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899"}, {"name": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r", "refsource": "CONFIRM", "url": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r"}]}, "source": {"discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T10:12:11.052Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r"}]}]}, "cveMetadata": {"assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "assignerShortName": "Google", "cveId": "CVE-2020-8929", "datePublished": "2020-10-19T12:15:16", "dateReserved": "2020-02-12T00:00:00", "dateUpdated": "2024-08-04T10:12:11.052Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:tink_java:*:*:*:*:*:*:*:*", "matchCriteriaId": "79CF433A-2538-413E-B3A7-B07C4D2B9BDA", "versionEndExcluding": "1.5.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext."}, {"lang": "es", "value": "Un manejo inapropiado de caracteres Unicode no v\u00e1lidos en la implementaci\u00f3n de Java Tink versiones anteriores a 1.5, permite a un atacante cambiar la parte del ID de un texto cifrado, lo que resulta en la creaci\u00f3n de un segundo texto cifrado que puede descifrarse en el mismo texto plano. Esto puede ser un problema con el cifrado AEAD determinista con una sola clave y depender de un \u00fanico texto cifrado por texto plano"}], "id": "CVE-2020-8929", "lastModified": "2025-06-05T14:50:15.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2020-10-19T13:15:13.437", "references": [{"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-176"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "[email protected]", "type": "Primary"}]}