Decryption Vulnerability in Python-RSA Library by Sybren Stuvel
CVE-2020-13757

7.5HIGH

Key Information:

Vendor

Python-rsa Project

Status
Python-rsa
Vendor
CVE Published:
1 June 2020

What is CVE-2020-13757?

The Python-RSA library prior to version 4.1 has a flaw where leading null ('\0') bytes in ciphertext are disregarded during the decryption process. This could potentially allow an attacker to deduce the presence of the library’s usage within an application. Additionally, if the length of the accepted ciphertext influences application functioning, it could lead to concerns such as excessive memory allocation and other unexpected behaviors, thus posing a significant risk in secure application development.

References

https://github.com/sybrenstuvel/python-rsa/issues/146
x_refsource_MISC
https://github.com/sybrenstuvel/python-rsa/issues/146#iss...
x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.