CVE-2020-25658

It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Published: Nov 12, 2020
Updated: May 9, 2024
CVE: CVE-2020-25658
GHSA: GHSA-xrx6-fmxq-rjj2
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.9
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:P/I:N/A:N

CWEs:

CWE-327
CWE-385

OWASP TOP 10:

A3 - Sensitive Data Exposure

Affected Software
References

Software	From	Fixed in
python-rsa_project / python-rsa	2.1	4.7
redhat / openstack_platform	16.0	16.0.x
redhat / openstack_platform	13.0	13.0.x
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
rsa	-	4.7

https://access.redhat.com/errata/RHSA-2020:5634
https://access.redhat.com/errata/RHSA-2021:0637
https://access.redhat.com/errata/RHSA-2022:1716
https://access.redhat.com/security/cve/CVE-2020-25658
https://bugzilla.redhat.com/show_bug.cgi?id=1889972
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25658
https://github.com/sybrenstuvel/python-rsa/commit/dae8ce0d85478e16f2368b2341632775313d41ed
https://github.com/sybrenstuvel/python-rsa/issues/165
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2SAF67KDGSOHLVFTRDOHNEAFDRSSYIWA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/APF364QJ2IYLPDNVFBOEJ24QP2WLVLJP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QY4PJWTYSOV7ZEYZVMYIF6XRU73CY6O7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2SAF67KDGSOHLVFTRDOHNEAFDRSSYIWA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/APF364QJ2IYLPDNVFBOEJ24QP2WLVLJP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QY4PJWTYSOV7ZEYZVMYIF6XRU73CY6O7/

Vulnerability Database

CVE-2020-25658

Deep Security Visibility Without the Complexity