EIQ-2020-0014


ID

EIQ-2020-0014

CVE

CVE-2020-25659

Description

cryptography is vulnerable to timing attacks

Date

11 Nov 2019

Severity

3 - HIGH

CVSSv3 score

7.5

(Snyk score)

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.9.0

Assessment

cryptography versions 3.1.1 and earlier are vulnerable to Bleichenbacher timing attacks that leverage the time the RSA decryption API takes to process valid PKCS#1 v1.5 ciphertext.

cryptography versions 3.2 addresses the issue by trying to make RSA PKCS#1v1.5 decryption more time-uniform.

Mitigation

To mitigate this vulnerability:

Affected versions

2.8.0 and earlier.

Notes

For more information, see:

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg    This section is not visible to users accessing the public docs, it's for internal reference   images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/information.svg

See also:

< Back to all security issues and mitigation actions

In release notes 2.9.0