https://bugzilla.redhat.com/show_bug.cgi?id=1801380
Bug ID: 1801380 Summary: CVE-2020-7226 cryptacular: excessive memory allocation during a decode operation Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: gsuckevi@redhat.com CC: aboyko@redhat.com, aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, bbaranow@redhat.com, bmaxwell@redhat.com, brian.stansberry@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, extras-orphan@fedoraproject.org, ggaughan@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jochrist@redhat.com, jperkins@redhat.com, jstastny@redhat.com, jwon@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lef@fedoraproject.org, lgao@redhat.com, mnovotny@redhat.com, msochure@redhat.com, msvehla@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pdrozd@redhat.com, pjindal@redhat.com, pmackay@redhat.com, psotirop@redhat.com, puntogil@libero.it, rguimara@redhat.com, rrajasek@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, sdaley@redhat.com, smaestri@redhat.com, sthorger@redhat.com, tom.jenkinson@redhat.com Target Milestone: --- Classification: Other
CiphertextHeader.java in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.
Reference: https://github.com/vt-middleware/cryptacular/issues/52