CVE-2020-7226

Beschreibung:
CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with „new byte“ may depend on untrusted input within the header of encoded data.

CWE: CWE-770

CVSS-Bewertung
CVSS 2: MEDIUM – 5 (Version: 2.0)
CVSS 3: HIGH – 7.5 (Version: 3.1)

Links:

NVD – CVE-2020-7226
CVE – CVE-2020-7226

Link (max. 20) Quelle Tags
https://github.com/vt-middleware/cryptacular/blob/master/src/main/java/org/cryptacular/CiphertextHeader.java#L153 MISC Exploit Third Party Advisory Patch Vendor Advisory
https://github.com/vt-middleware/cryptacular/issues/52 MISC Exploit Third Party Advisory Third Party Advisory
[ws-dev] 20200219 [jira] [Created] (WSS-665) Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226 MLIST Mailing List Third Party Advisory Third Party Advisory
[ws-commits] 20200219 [ws-wss4j] branch 2_2_x-fixes updated: WSS-665 – Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226 MLIST Mailing List Patch Third Party Advisory
[ws-dev] 20200219 [jira] [Resolved] (WSS-665) Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226 MLIST Mailing List Patch Third Party Advisory
[ws-commits] 20200219 [ws-wss4j] branch master updated: WSS-665 – Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226 MLIST Mailing List Patch Third Party Advisory
https://github.com/vt-middleware/cryptacular/blob/fafccd07ab1214e3588a35afe3c361519129605f/src/main/java/org/cryptacular/CiphertextHeader.java#L153 MISC Exploit Third Party Advisory
[ws-dev] 20200318 [jira] [Closed] (WSS-665) Add cryptacular dependency and upgrade to 1.2.4 to fix CVE-2020-7226 MLIST Mailing List Third Party Advisory
[tomee-commits] 20201013 [jira] [Assigned] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability MLIST Mailing List Third Party Advisory
[tomee-commits] 20201013 [jira] [Created] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability MLIST Mailing List Third Party Advisory
[tomee-commits] 20210426 [jira] [Updated] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability MLIST Mailing List Third Party Advisory Vendor Advisory
[tomee-commits] 20210426 [jira] [Comment Edited] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability MLIST Mailing List Third Party Advisory
[tomee-commits] 20210426 [jira] [Commented] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability MLIST Mailing List Third Party Advisory Vendor Advisory
[tomcat-users] 20200726 Re: CVE-2020-1935 MLIST Mailing List Vendor Advisory Vendor Advisory
[tomcat-users] 20200727 RE: CVE-2020-1935 MLIST Mailing List Vendor Advisory
USN-4448-1 UBUNTU Third Party Advisory Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2020.html MISC Third Party Advisory Vendor Advisory
https://www.oracle.com/security-alerts/cpujan2021.html MISC Third Party Advisory Vendor Advisory
[tomcat-dev] 20210428 [Bug 65272] Problems proccessing HTTP request without CR in last versions MLIST Mailing List Vendor Advisory
[kafka-jira] 20200515 [jira] [Commented] (KAFKA-9997) upgrade log4j lib to address CVE-2020-9488 MLIST Mailing List Vendor Advisory

Quelle: NVD – CVE-2020-7226
Datum Veröffentlichung: 2020-01-24T15:15Z, Datum letzte Änderung: 2021-05-05T13:39Z