CVE-2020-25659: RSA decryption vulnerable to Bleichenbacher timing vulnerability
5.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.56308%
CWE
Published
10/27/2020
Updated
11/18/2024
KEV Status
No
Technology
Python
PythonTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| cryptography | pip | < 3.2 | 3.2 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from non-constant-time error handling in RSA PKCS#1v1.5 decryption. The commit diff shows the vulnerable functions were modified to remove error path differences - specifically replacing key-specific error messages with a generic failure. The original implementation's separate error paths for public/private keys and different error messages created timing discrepancies exploitable via Bleichenbacher's attack. The CVE description and commit comments explicitly reference mitigating this through constant-time processing.