EIQ-2020-0014#

ID

EIQ-2020-0014

CVE

CVE-2020-25659

Description

cryptography is vulnerable to timing attacks

Date

11 Nov 2019

Severity

3 - HIGH

CVSSv3 score

7.5 (Snyk score)

Status

✅ 2.9.0

Assessment

cryptography versions 3.1.1 and earlier are vulnerable to Bleichenbacher timing attacks that leverage the time the RSA decryption API takes to process valid PKCS#1 v1.5 ciphertext.

cryptography versions 3.2 addresses the issue by trying to make RSA PKCS#1v1.5 decryption more time-uniform.

Mitigation

To mitigate this vulnerability:

Affected versions

2.8.0 and earlier.

Notes

For more information, see: