{"id":"CVE-2020-8929","details":"A mis-handling of invalid unicode characters in the Java implementation of Tink versions prior to 1.5 allows an attacker to change the ID part of a ciphertext, which result in the creation of a second ciphertext that can decrypt to the same plaintext. This can be a problem with encrypting deterministic AEAD with a single key, and rely on a unique ciphertext-per-plaintext.","aliases":["GHSA-g5vf-v6wf-7w2r","PYSEC-2020-142"],"modified":"2026-04-11T13:54:02.417410Z","published":"2020-10-19T13:15:13.437Z","related":["GHSA-g5vf-v6wf-7w2r"],"references":[{"type":"FIX","url":"https://github.com/google/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899"},{"type":"FIX","url":"https://github.com/google/tink/security/advisories/GHSA-g5vf-v6wf-7w2r"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tink-crypto/tink","events":[{"introduced":"0"},{"fixed":"ca852750014fb65590585285e2ed7deeb04cb36a"},{"fixed":"93d839a5865b9d950dffdc9d0bc99b71280a8899"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.5.0"}]}}],"versions":["go/integration/hcvault/v1.4.0-rc1","go/integration/hcvault/v1.4.0-rc2","go/v1.4.0-rc1","go/v1.4.0-rc2","v1.0.0","v1.1.0","v1.1.1","v1.2.0","v1.2.0-rc2","v1.2.0-rc3","v1.2.0-rc4","v1.3.0-rc1","v1.3.0-rc2","v1.4.0-rc1","v1.4.0-rc2"],"database_specific":{"vanir_signatures":[{"source":"https://github.com/tink-crypto/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899","signature_version":"v1","id":"CVE-2020-8929-0bef705b","target":{"file":"java_src/src/main/java/com/google/crypto/tink/PrimitiveSet.java","function":"addPrimitive"},"deprecated":false,"signature_type":"Function","digest":{"function_hash":"217881201261916344316553839640080936871","length":715}},{"source":"https://github.com/tink-crypto/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899","signature_version":"v1","id":"CVE-2020-8929-5f31f113","target":{"file":"java_src/src/main/java/com/google/crypto/tink/PrimitiveSet.java"},"deprecated":false,"signature_type":"Line","digest":{"line_hashes":["157414841065670058462330412288726568007","108916698505316697896927837801069949125","329953534583668519471318701801756243441","213576573152777414863879008901387448313","117095508662451436026999904308032369379","253256134297389226440813142341947082556","235237472774331919668376667751742900432","166517235777786224518032432875894209912","157678614999336421597063061426693421695","137165361629755901251605909441366605245","273248960221924926855140517766478383219","188617306577646167314510855791087647903","305213812347837163836313675875228833265","166698426010835856215096125922411474565","297583809220781884592827695125311262910","241289953989506126859141392310543976193","107922863496083804360076348135896354859","128692932181663531956448901019848472168","55947774114710356573264013802535826596","142551651716694686536564144631747175878","121531892295596273159651830304332866028","53350761022494845887792663144414820270","24683522678372212630385082067239946921"],"threshold":0.9}},{"source":"https://github.com/tink-crypto/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899","signature_version":"v1","id":"CVE-2020-8929-b6db4b04","target":{"file":"java_src/src/test/java/com/google/crypto/tink/PrimitiveSetTest.java","function":"testBasicFunctionality"},"deprecated":false,"signature_type":"Function","digest":{"function_hash":"336480560591704285155113984453929751247","length":2366}},{"source":"https://github.com/tink-crypto/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899","signature_version":"v1","id":"CVE-2020-8929-cea17d37","target":{"file":"java_src/src/test/java/com/google/crypto/tink/PrimitiveSetTest.java"},"deprecated":false,"signature_type":"Line","digest":{"line_hashes":["146175358446346798436697762436011149257","295942350449558665742799913355865684801","211307551365374089730606137149354531355","26353490931673665710809428408506110659","182537772909162327202526083499477956523","329953534583668519471318701801756243441","126333911796798416263336896935722055939","70260780078299868670536020959072281678","96803705860922078313911072580373155433","113396495125288665233912927029793507283","234156420052173044438438639672442638471","15175985646369398483260471257013460649","169003393220567029982272055006592009093","49125774217727985790838356054946417228","177304168442040758471695821047672453602","171888511372190141356176899853650975434","23936496925817278157482710542947234335","115690790232692471645256338558932719018","75562305059812802870823955954415433234","101032819747363744876388845259504663814","82359856998348033683579614702664792186","205422223639136502879281703786625805924","155572029847699494806626563838973371838","14903607018543231778895518337430911011","246957667163346934343903169032503416287","140314242352240142747726537608347367727","315420771190081624889203641475418065417","38638001576893638579214821712220064671","71430218427425071246202871725195202201","271517990677501793529420800353605664226","322166073183876051042553613141898237198","156662998931894483064305203148036766746","261395711075483476186195734758232092057","111142739761903615585587592610622225062","44159434901570754501518201921413679241","324714737432003588589138272643598322415","198744038604350611120073568144765990230","99995408411146038819414179650715747879","75562305059812802870823955954415433234","246706484195991439373335839996138797280","95639478499927079270886414043639423993","100076700588357950984846615938334054251","71430218427425071246202871725195202201","264905063397817558713430685859007133502","214922383522459711199232647740461491950","290145492935218893974818148391724595902","47363546000523299680042878563193591294"],"threshold":0.9}},{"source":"https://github.com/tink-crypto/tink/commit/93d839a5865b9d950dffdc9d0bc99b71280a8899","signature_version":"v1","id":"CVE-2020-8929-dc95a620","target":{"file":"java_src/src/main/java/com/google/crypto/tink/PrimitiveSet.java","function":"getPrimitive"},"deprecated":false,"signature_type":"Function","digest":{"function_hash":"305755066724297118589985672762111541734","length":178}}],"vanir_signatures_modified":"2026-04-11T13:54:02Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-8929.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}