CVE-2020-13757
First published: Wed May 27 2020(Updated: )
A flaw was found in the python-rsa package, where it does not explicitly check the ciphertext length against the key size and ignores the leading 0 bytes during the decryption of the ciphertext. This flaw allows an attacker to perform a ciphertext attack, leading to a denial of service. The highest threat from this vulnerability is to confidentiality.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python-rsa | <0:4.5-2.el7 | 0:4.5-2.el7 |
| redhat/python-rsa | <0:4.5-1.el7 | 0:4.5-1.el7 |
| redhat/python-rsa | <4.1 | 4.1 |
| debian/python-rsa | <=4.0-4 | 4.8-1 4.9-2 |
| pip/rsa | <4.1 | 4.1 |
| python3-rfc3339 | <4.1 | |
| Red Hat Fedora | =31 | |
| Red Hat Fedora | =32 | |
| Ubuntu | =14.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2020-13757
- https://github.com/sybrenstuvel/python-rsa/issues/146
- https://github.com/sybrenstuvel/python-rsa/issues/146#issuecomment-641845667
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KILTHBHNSDUCYV22ODLOKTICJJ7JQIQ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYB65VNILRBTXL6EITQTH2PZPK7I23MW/
- https://usn.ubuntu.com/4478-1/
- https://github.com/advisories/GHSA-537h-rv9q-vvph (Advisory)
- https://www.cve.org/CVERecord?id=CVE-2020-13757 https://nvd.nist.gov/vuln/detail/CVE-2020-13757 https://github.com/sybrenstuvel/python-rsa/issues/146
- https://bugzilla.redhat.com/show_bug.cgi?id=1848507
- https://access.redhat.com/errata/RHSA-2020:3541
- https://access.redhat.com/errata/RHSA-2020:3453
- https://access.redhat.com/security/cve/cve-2020-13757
- https://launchpad.net/bugs/cve/CVE-2020-13757
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2KILTHBHNSDUCYV22ODLOKTICJJ7JQIQ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYB65VNILRBTXL6EITQTH2PZPK7I23MW/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1848509
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1848508
- https://github.com/sybrenstuvel/python-rsa/commit/93af6f2f89a9bf28361e67716c4240e691520f30
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1851171
- https://security-tracker.debian.org/tracker/CVE-2020-13757
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13757
- https://ubuntu.com/security/CVE-2020-13757
- https://github.com/pypa/advisory-database/tree/main/vulns/rsa/PYSEC-2020-99.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KILTHBHNSDUCYV22ODLOKTICJJ7JQIQ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYB65VNILRBTXL6EITQTH2PZPK7I23MW
- https://usn.ubuntu.com/4478-1
Frequently Asked Questions
What is the severity of CVE-2020-13757?
CVE-2020-13757 has been classified as a high severity vulnerability due to the potential for denial of service attacks.
How do I fix CVE-2020-13757?
To fix CVE-2020-13757, upgrade the python-rsa package to version 4.1 or later.
Which versions of python-rsa are affected by CVE-2020-13757?
Versions of python-rsa prior to 4.1 are affected by CVE-2020-13757.
Can CVE-2020-13757 be exploited remotely?
Yes, CVE-2020-13757 can be exploited remotely, allowing attackers to execute ciphertext attacks.
What impact does CVE-2020-13757 have on systems using python-rsa?
CVE-2020-13757 can lead to denial of service on systems utilizing the vulnerable python-rsa package.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-13757
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- collector/security-tracker-debian
- source/Debian
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-537h-rv9q-vvph
- agent/last-modified-date
- agent/references
- collector/github-advisory
- agent/trending
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- agent/tags
- package-manager/redhat
- package-manager/debian
- package-manager/pip
- vendor/python-rsa project
- canonical/python3-rfc3339
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/31
- version/red hat fedora/32
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/14.04