Vulnerability CVE-2020-25659

Vulnerability Name:

CVE-2020-25659 (CCN-192485)

Assigned:

2020-10-25

Published:

2020-10-25

Updated:

2023-02-09

Summary:

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

CVSS v3 Severity:

5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.9 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

5.4 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-385

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2020-25659

Source: CCN
Type: Red Hat Bugzilla Bug 1889988
(CVE-2020-25659) - CVE-2020-25659 python-cryptography: bleichenbacher timing oracle attack against RSA decryption

Source: XF
Type: UNKNOWN
python-cve202025659-info-disc(192485)

Source: secalert@redhat.com
Type: Patch, Third Party Advisory
secalert@redhat.com

Source: CCN
Type: IBM Security Bulletin 6417499 (Cloud Private)
IBM Cloud Private is vulnerable to a Python vulnerability (CVE-2020-25659)

Source: CCN
Type: IBM Security Bulletin 6428925 (Watson OpenScale)
IBM Watson OpenScale on Cloud Pak for Data is impacted by CVE-2020-25659

Source: CCN
Type: IBM Security Bulletin 6445737 (Spectrum Protect Plus)
Vulnerability in Python affects IBM Spectrum Protect Plus Microsoft File Systems backup and restore (CVE-2020-25659)

Source: CCN
Type: IBM Security Bulletin 6452959 (Spectrum Discover)
Vulnerabilities in the Python, Docker, and ICP affect IBM Spectrum Discover

Source: CCN
Type: IBM Security Bulletin 6469481 (Spectrum Discover)
Vulnerabilities in the Python, Python cryptography , and Urllib3 affect IBM Spectrum Discover

Source: CCN
Type: IBM Security Bulletin 6568787 (Cloud Pak for Security)
Cloud Pak for Security contains packages that have multiple vulnerabilities

Source: secalert@redhat.com
Type: Patch, Third Party Advisory
secalert@redhat.com

Source: secalert@redhat.com
Type: Patch, Third Party Advisory
secalert@redhat.com

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7770	P	python3-cryptography-3.3.2-150400.16.6.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7649	P	libpq5-15.3-150200.5.9.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:8197	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:8111	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:8172	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:8185	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:94461	P	(Important)	2022-07-06
oval:org.opensuse.security:def:3168	P	libevent-2_0-5-2.0.21-6.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3349	P	python3-3.4.6-25.29.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94798	P	python3-cryptography-2.8-10.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:284	P	python3-cryptography-2.8-3.6.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:113259	P	python36-cryptography-3.3.2-2.4 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106671	P	python36-cryptography-3.3.2-2.4 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:96706	P	libunwind-1.2.1-2.13 on GA media (Moderate)	2021-09-21
oval:org.opensuse.security:def:1213	P	python3-cryptography-2.8-3.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62302	P	python3-cryptography-2.8-3.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101060	P	python3-cryptography-2.8-3.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101174	P	libSoundTouch0-1.8.0-3.11.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72043	P	python3-cryptography-2.8-3.6.1 on GA media (Moderate)	2021-08-09
oval:com.redhat.rhsa:def:20211608	P	RHSA-2021:1608: python-cryptography security, bug fix, and enhancement update (Moderate)	2021-05-18
oval:org.opensuse.security:def:110905	P	Security update for python-cryptography (Moderate)	2020-12-06
oval:org.opensuse.security:def:86467	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:31083	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:82065	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:21349	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:60147	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:55771	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:89095	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:33617	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:84531	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:28858	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:58645	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:125499	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:51854	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:87286	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:31560	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:82507	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:23094	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:56906	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:89353	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:33875	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:85547	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:29300	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:59440	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:126671	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:54681	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:88079	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:32003	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:83155	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:23480	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:57383	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:51082	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:34324	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:86024	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:29948	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:81022	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:59698	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:127068	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:55123	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:88388	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:32822	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:84076	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:23866	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:57826	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:51468	P	Security update for python-cryptography (Moderate)	2020-12-04
oval:org.opensuse.security:def:73560	P	Security update for python-cryptography (Moderate)	2020-12-02
oval:org.opensuse.security:def:100250	P	(Moderate)	2020-12-02
oval:org.opensuse.security:def:76518	P	Security update for python-cryptography (Moderate)	2020-12-02
oval:org.opensuse.security:def:95928	P	Security update for python-cryptography (Moderate)	2020-12-02
oval:org.opensuse.security:def:107840	P	Security update for python-cryptography (Moderate)	2020-12-02
oval:org.opensuse.security:def:64438	P	Security update for python-cryptography (Moderate)	2020-12-02
oval:org.opensuse.security:def:117355	P	Security update for python-cryptography (Moderate)	2020-12-02
oval:org.opensuse.security:def:109307	P	Security update for python-cryptography (Moderate)	2020-12-02
oval:org.opensuse.security:def:68738	P	Security update for python-cryptography (Moderate)	2020-12-02
oval:org.opensuse.security:def:118398	P	Security update for python-cryptography (Moderate)	2020-12-02
oval:org.opensuse.security:def:102641	P	Security update for python-cryptography (Moderate)	2020-12-02

BACK