7.5
CVE-2020-26263
- EPSS 0.24%
- Veröffentlicht 21.12.2020 17:15:12
- Zuletzt bearbeitet 21.11.2024 05:19:41
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Logintlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, the code has multiple ways in which it leaks information about the decrypted ciphertext. It aborts as soon as the plaintext doesn't start with 0x00, 0x02. All TLS servers that enable RSA key exchange as well as applications that use the RSA decryption API directly are vulnerable. This is patched in versions 0.7.6 and 0.8.0-alpha39. Note: the patches depend on Python processing the individual bytes in side-channel free manner, this is known to not the case (see reference). As such, users that require side-channel resistance are recommended to use different TLS implementations, as stated in the security policy of tlslite-ng.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Tlslite-ng Project ≫ Tlslite-ng Version < 0.7.6
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha1
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha10
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha11
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha12
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha13
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha14
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha15
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha16
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha17
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha18
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha19
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha2
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha20
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha21
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha22
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha23
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha24
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha25
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha26
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha27
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha28
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha29
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha3
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha30
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha31
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha32
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha33
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha34
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha35
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha36
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha37
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha38
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha4
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha5
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha6
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha7
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha8
Tlslite-ng Project ≫ Tlslite-ng Version0.8.0 Updatealpha9
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.24% | 0.476 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 5 | 10 | 2.9 |
AV:N/AC:L/Au:N/C:P/I:N/A:N
|
| security-advisories@github.com | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
|
CWE-326 Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.