CVE-2020-25659

Description

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

CVSS Metrics

• v4.0•HIGH•Score: 8.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
• v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
• v2.0•MEDIUM•Score: 4.3AV:N/AC:M/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.76%• Percentile: 74%

Techniques & Countermeasures

• CWE-385•Covert Timing Channel

  Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

Affected Systems

• cryptography.io•cryptography

  3.2

• oracle•communications_cloud_native_core_network_function_cloud_native_environment

  1.10.0

• PyPI•cryptography

  < 3.2 | < 3.2.1

References (11)

• https://github.com/pyca/cryptography/pull/5507/commits/ce1bef6f1ee06ac497ca0c837fbd1c7ef6c2472b
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://github.com/pyca/cryptography/security/advisories/GHSA-hggm-jpg3-v476
• https://nvd.nist.gov/vuln/detail/CVE-2020-25659
• https://github.com/pyca/cryptography/pull/5507
• https://github.com/pyca/cryptography/commit/58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494
• https://github.com/advisories/GHSA-hggm-jpg3-v476
• https://github.com/pyca/cryptography
• https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2021-62.yaml
• https://pypi.org/project/cryptography