EIQ-2020-0014#

ID	EIQ-2020-0014
CVE	CVE-2020-25659
Description	cryptography is vulnerable to timing attacks
Date	11 Nov 2019
Severity	3 - HIGH
CVSSv3 score	7.5 (Snyk score)
Status	✅ 2.9.0
Assessment	cryptography versions 3.1.1 and earlier are vulnerable to Bleichenbacher timing attacks that leverage the time the RSA decryption API takes to process valid PKCS#1 v1.5 ciphertext. cryptography versions 3.2 addresses the issue by trying to make RSA PKCS#1v1.5 decryption more time-uniform.
Mitigation	To mitigate this vulnerability: Upgrade cryptography to version 3.2 or later.
Affected versions	2.8.0 and earlier.
Notes	For more information, see: CVE-2020-25659 on mitre.org CWE-208: Observable Timing Discrepancy Red Hat Bug 1889988 reporting the vulnerability GitHub PR with the fix