CVE-2020-25659

CVSS v4.0

8.2

High

Vector

AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions python-cryptography versions 3.2

Description The issue is related to errors in RSA key management in the python-cryptography package for the Python programming language. It may allow a remote attacker to gain unauthorized access to protected information. The vulnerability is specifically related to Bleichenbacher timing attacks in the RSA decryption API, which can be exploited through timed processing of valid PKCS#1 v1.5 ciphertext. This could impact users of RSA decryption in online scenarios.

Recommendations For python-cryptography version 3.2, update to a version where the RSA decryption vulnerability is fixed, as the current version is vulnerable to Bleichenbacher timing attacks. As a temporary workaround, consider restricting the use of the RSA decryption API to minimize the risk of exploitation.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-385

Related Identifiers

ALT-PU-2020-3147

ALT-PU-2023-8071

ALT-PU-2024-9926

BDU:2022-05647

CESA-2021_1608

CVE-2020-25659

GHSA-HGGM-JPG3-V476

MGASA-2020-0438

OPENSUSE-SU-2020:2173-1

OPENSUSE-SU-2020_2173-1

OPENSUSE-SU-2024:11223-1

OPENSUSE-SU-2024:13819-1

PYSEC-2021-62

RHSA-2021:1608

RHSA-2021:2239

RHSA-2021:3254

RHSA-2021_1608

RLSA-2021:1608

SUSE-FU-2022:0444-1

SUSE-FU-2022:0445-1

SUSE-RU-2021:0985-1

SUSE-RU-2022:2355-1

SUSE-SU-2020:3592-1

SUSE-SU-2020:3629-1

SUSE-SU-2020_3592-1

SUSE-SU-2020_3629-1

SUSE-SU-2023:0604-1

SUSE-SU-2023:2783-1

SUSE-SU-2023:2783-2

SUSE-SU-2023_0604-1

USN-4613-1

Affected Products

Alt Linux

Astra Linux

Centos

Linuxmint

Red Hat

Rocky Linux

Suse

Ubuntu

Zvirt Node

Python-Cryptography

CVE-2020-25659

Weakness Enumeration

Related Identifiers

Affected Products

References · 94