x/vulndb: potential Go vuln in github.com/google/tink: CVE-2020-8929

[tatianab]

CVE-2020-8929 references github.com/google/tink, which may be a Go module.

Description:
A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-8929
• fix: tink-crypto/tink@93d839a
• advisory: GHSA-g5vf-v6wf-7w2r
• Imported by: https://pkg.go.dev/github.com/google/tink?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/google/tink
      vulnerable_at: 1.7.0
      packages:
        - package: Tink
cves:
    - CVE-2020-8929
credits:
    - Peter Esbensen
references:
    - fix: https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899
    - advisory: https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports