CVE-2020-25659
First published: Wed Oct 21 2020(Updated: )
A flaw was found in python-cryptography, where it is vulnerable to Bleichenbacher timing attacks. This flaw allows an attacker, via the RSA decryption API, to decrypt parts of the ciphertext encrypted with RSA. The highest threat from this vulnerability is to confidentiality.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/python-cryptography | <0:3.2.1-4.el8 | 0:3.2.1-4.el8 |
| redhat/rh-python38-babel | <0:2.7.0-12.el7 | 0:2.7.0-12.el7 |
| redhat/rh-python38-python | <0:3.8.11-2.el7 | 0:3.8.11-2.el7 |
| redhat/rh-python38-python-cryptography | <0:2.8-5.el7 | 0:2.8-5.el7 |
| redhat/rh-python38-python-jinja2 | <0:2.10.3-6.el7 | 0:2.10.3-6.el7 |
| redhat/rh-python38-python-lxml | <0:4.4.1-7.el7 | 0:4.4.1-7.el7 |
| redhat/rh-python38-python-pip | <0:19.3.1-2.el7 | 0:19.3.1-2.el7 |
| redhat/rh-python38-python-urllib3 | <0:1.25.7-7.el7 | 0:1.25.7-7.el7 |
| redhat/redhat-virtualization-host | <0:4.4.6-20210527.3.el8_4 | 0:4.4.6-20210527.3.el8_4 |
| Python-cryptography Project Python-cryptography | =3.2 | |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment | =1.10.0 | |
| pip/cryptography | <3.2 | 3.2 |
| redhat/python-cryptography | <3.2 | 3.2 |
| Cryptography.io Cryptography Python | =3.2 |
Remedy
https://github.com/pyca/cryptography/pull/5507/commits/ce1bef6f1ee06ac497ca0c837fbd1c7ef6c2472b
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-25659 https://nvd.nist.gov/vuln/detail/CVE-2020-25659 https://cryptography.io/en/latest/changelog.html#v3-2
- https://bugzilla.redhat.com/show_bug.cgi?id=1889988
- https://access.redhat.com/errata/RHSA-2021:1608
- https://access.redhat.com/errata/RHSA-2021:3254
- https://access.redhat.com/errata/RHSA-2021:2239
- https://access.redhat.com/security/cve/cve-2020-25659
- https://github.com/pyca/cryptography/pull/5507/commits/ce1bef6f1ee06ac497ca0c837fbd1c7ef6c2472b
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://access.redhat.com/support/policy/updates/cloudforms
- https://cryptography.io/en/latest/changelog.html#v3-2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1929462
- https://github.com/pyca/cryptography/security/advisories/GHSA-hggm-jpg3-v476
- https://github.com/pyca/cryptography/commit/58494b41d6ecb0f56b7c5f05d5f5e3ca0320d494
- https://nvd.nist.gov/vuln/detail/CVE-2020-25659
- https://github.com/pyca/cryptography/pull/5507
- https://github.com/advisories/GHSA-hggm-jpg3-v476 (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2021-62.yaml
- https://pypi.org/project/cryptography
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this python-cryptography vulnerability?
The vulnerability ID for this python-cryptography vulnerability is CVE-2020-25659.
What is the severity rating of CVE-2020-25659?
The severity rating of CVE-2020-25659 is medium with a value of 5.9.
How does the vulnerability impact confidentiality?
The vulnerability impacts confidentiality as an attacker can decrypt parts of the ciphertext.
Which software versions of python-cryptography are affected by CVE-2020-25659?
Versions up to and excluding 3.2 of python-cryptography are affected by CVE-2020-25659.
Where can I find more information about CVE-2020-25659?
You can find more information about CVE-2020-25659 at the following references: [GitHub](https://github.com/pyca/cryptography/pull/5507/commits/ce1bef6f1ee06ac497ca0c837fbd1c7ef6c2472b), [Red Hat](https://access.redhat.com/support/policy/updates/cloudforms), [Cryptography.io](https://cryptography.io/en/latest/changelog.html#v3-2)
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/severity
- agent/remedy
- agent/description
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25659
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/event
- collector/nvd-api
- source/NVD
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-hggm-jpg3-v476
- agent/references
- agent/last-modified-date
- agent/tags
- collector/nvd-cve
- collector/github-advisory
- package-manager/redhat
- vendor/python-cryptography project
- canonical/python-cryptography project python-cryptography
- version/python-cryptography project python-cryptography/3.2
- vendor/oracle
- canonical/oracle communications cloud native core network function cloud native environment
- version/oracle communications cloud native core network function cloud native environment/1.10.0
- vendor/cryptography.io
- canonical/cryptography.io cryptography python
- version/cryptography.io cryptography python/3.2
- package-manager/pip