CVE-2020-13757 Information

Description

Python-RSA before 4.1 ignores leading ‘\0’ bytes during decryption of ciphertext. This could conceivably have a security-relevant impact e.g. by helping an attacker to infer that an application uses Python-RSA or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

https://github.com/sybrenstuvel/python-rsa/issues/146 https://github.com/sybrenstuvel/python-rsa/issues/146issuecomment-641845667 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KILTHBHNSDUCYV22ODLOKTICJJ7JQIQ/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYB65VNILRBTXL6EITQTH2PZPK7I23MW/ https://usn.ubuntu.com/4478-1/

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

7.5