Homepage
About Snyk

Timing Attack Affecting cryptography package, versions [,3.2)

0.0
medium

Snyk CVSS

    Attack Complexity High
    Confidentiality High

    Threat Intelligence

    EPSS 0.11% (44th percentile)
Expand this section
NVD
5.9 medium
Expand this section
SUSE
5.9 medium
Expand this section
Red Hat
5.9 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-CRYPTOGRAPHY-1022152
  • published 27 Oct 2020
  • disclosed 25 Oct 2020
  • credit Hubert Kario
Report a new vulnerability Found a mistake?

Introduced: 25 Oct 2020

CVE-2020-25659 Open this link in a new tab
CWE-208 Open this link in a new tab

How to fix?

Upgrade cryptography to version 3.2 or higher.

Overview

Affected versions of this package are vulnerable to Timing Attack. It is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext (Marvin).

Notes:

  1. Version 3.2 of this package contains an incomplete fix, which might help reduce the chances of this vulnerability being exploited. We recommend updating to version 42.0.0 for the complete fix, as advised in the advisory for CVE-2023-50782.

  2. This vulnerability presents a moderate severity concern due to its specific impact on applications utilizing RSA decryption with PKCS#1 v1.5 padding. While the vulnerability could potentially lead to leakage in RSA decryption operations, its severity is downgraded to medium by several factors. Firstly, the exploitability of the vulnerability is limited to scenarios where RSA decryption with PKCS#1 v1.5 padding is employed, narrowing the scope of affected systems. Additionally, the implementation of implicit rejection, such as the Marvin workaround, provides a viable mitigation strategy.