Miggo Logo

CVE-2020-25659: RSA decryption vulnerable to Bleichenbacher timing vulnerability

5.9

CVSS Score
3.1

Basic Information

EPSS Score
0.56308%
Published
10/27/2020
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
cryptographypip< 3.23.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from non-constant-time error handling in RSA PKCS#1v1.5 decryption. The commit diff shows the vulnerable functions were modified to remove error path differences - specifically replacing key-specific error messages with a generic failure. The original implementation's separate error paths for public/private keys and different error messages created timing discrepancies exploitable via Bleichenbacher's attack. The CVE description and commit comments explicitly reference mitigating this through constant-time processing.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

RS* ***ryption w*s vuln*r**l* to *l*i***n*****r timin* vuln*r**iliti*s, w*i** woul* imp**t p*opl* usin* RS* ***ryption in onlin* s**n*rios. T*is is *ix** in *rypto*r*p*y *.*.

Reasoning

T** vuln*r**ility st*ms *rom non-*onst*nt-tim* *rror **n*lin* in RS* PK*S#*v*.* ***ryption. T** *ommit *i** s*ows t** vuln*r**l* *un*tions w*r* mo*i*i** to r*mov* *rror p*t* *i***r*n**s - sp**i*i**lly r*pl**in* k*y-sp**i*i* *rror m*ss***s wit* * **n*