CVE-2020-13757
published 2020-06-01CVE-2020-13757: Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an…
PriorityP338high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.36%
68.2th percentile
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | python-rsa | < python-rsa 4.7.2-1 (bookworm) | python-rsa 4.7.2-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| paloalto | pan-os | — | — |
| python-rsa_project | python-rsa | < 4.1 | 4.1 |
| python-rsa_project | python-rsa | >= 0 < 4.7.2-1 | 4.7.2-1 |
| python-rsa_project | python-rsa | >= 0 < 4.7.2-1 | 4.7.2-1 |
| python-rsa_project | python-rsa | >= 0 < 4.7.2-1 | 4.7.2-1 |
| rustcrypto | rsa | >= 0 < 4.1 | 4.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Palo Alto
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
vendor_paloalto·2024-02-14·CVSS 9.8
CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the
CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-19911, CVE-2020-0404, CVE-2020-0431, CVE-2020-0466, CVE-2020-10379, CVE-2020-11538, CVE-2020-11608, CVE-2020-12114, CVE-2020-12321, CVE-2020-12362, CVE-2020-12363, CVE-2020-12364, CVE-2020-13757, CVE-2020-14314, CVE-2020-14351, CVE-2020-15778, CVE-2020-1967, CVE-2020-24394, CVE-2020-24504, CVE-2020-25211, CVE-2020-25212, CVE-2020-25284, CVE-2020-25285, CVE-2020-25717, CVE-2020-26541, CVE-2020-2715
Ubuntu
Python-RSA vulnerability
vendor_ubuntu·2022-02-21
CVE-2020-13757 Python-RSA vulnerability
Title: Python-RSA vulnerability
Summary: Python-RSA could be made to expose sensitive information over the
network.
USN-4478-1 fixed a vulnerability in Python-RSA.
This update provides the corresponding update for Ubuntu 16.04 ESM,
Ubuntu 18.04 ESM and Ubuntu 20.04 ESM.
Original advisory details:
It was discovered that Python-RSA incorrectly handled certain ciphertexts.
An attacker could possibly use this issue to obtain sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Python-RSA vulnerability
vendor_ubuntu·2020-08-31
CVE-2020-13757 Python-RSA vulnerability
Title: Python-RSA vulnerability
Summary: Python-RSA could be made to expose sensitive information over the
network.
It was discovered that Python-RSA incorrectly handled certain ciphertexts.
An attacker could possibly use this issue to obtain sensitive information.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
python-rsa: decryption of ciphertext leads to DoS
vendor_redhat·2020-05-27·CVSS 7.5
CVE-2020-13757 [HIGH] CWE-325 python-rsa: decryption of ciphertext leads to DoS
python-rsa: decryption of ciphertext leads to DoS
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
A flaw was found in the python-rsa package, where it does not explicitly check the ciphertext length against the key size and ignores the leading 0 bytes during the decryption of the ciphertext. This flaw allows an attacker to perform a ciphertext attack, leading to a denial of service. The highest threat from this vulnerability is to confidentiality.
Statement: In Red Hat OpenStack Platform, because the flaw ha
Debian
CVE-2020-13757: python-rsa - Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext...
vendor_debian·2020·CVSS 7.5
CVE-2020-13757 [HIGH] CVE-2020-13757: python-rsa - Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext...
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
Scope: local
bookworm: resolved (fixed in 4.7.2-1)
bullseye: open
forky: resolved (fixed in 4.7.2-1)
sid: resolved (fixed in 4.7.2-1)
trixie: resolved (fixed in 4.7.2-1)
GHSA
Python-RSA decryption of ciphertext leads to DoS
ghsa·2021-03-24
CVE-2020-13757 [HIGH] CWE-327 Python-RSA decryption of ciphertext leads to DoS
Python-RSA decryption of ciphertext leads to DoS
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
OSV
Python-RSA decryption of ciphertext leads to DoS
osv·2021-03-24
CVE-2020-13757 [HIGH] Python-RSA decryption of ciphertext leads to DoS
Python-RSA decryption of ciphertext leads to DoS
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
OSV
CVE-2020-13757: Python-RSA before 4
osv·2020-06-01·CVSS 7.5
CVE-2020-13757 [HIGH] CVE-2020-13757: Python-RSA before 4
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS [openstack-rdo]
bugzilla·2020-06-25·CVSS 7.5
CVE-2020-13757 [HIGH] CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS [openstack-rdo]
CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
python-rsa is upgraded to 4.6 in
Bugzilla
CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS [epel-all]
bugzilla·2020-06-18·CVSS 7.5
CVE-2020-13757 [HIGH] CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS [epel-all]
CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
Bugzilla
CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS
bugzilla·2020-06-18·CVSS 7.5
CVE-2020-13757 [HIGH] CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS
CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS
A vulnerability was found in Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
References:
https://github.com/sybrenstuvel/python-rsa/issues/146
https://github.com/sybrenstuvel/python-rsa/issues/146#issuecomment-641845667
Discussion:
Created python-rsa tracking bugs for this issue:
Affects: epel-all [bug 1848509]
Affects: fedora-all [bug 1848508]
---
Upstream patch: https://github.com/sybrenstuvel/python-rsa/commit/93af6f2f89a9bf28361e67716c4
Bugzilla
CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS [fedora-all]
bugzilla·2020-06-18·CVSS 7.5
CVE-2020-13757 [HIGH] CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS [fedora-all]
CVE-2020-13757 python-rsa: decryption of ciphertext leads to DoS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
https://github.com/sybrenstuvel/python-rsa/issues/146https://github.com/sybrenstuvel/python-rsa/issues/146#issuecomment-641845667https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2KILTHBHNSDUCYV22ODLOKTICJJ7JQIQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYB65VNILRBTXL6EITQTH2PZPK7I23MW/https://usn.ubuntu.com/4478-1/https://github.com/sybrenstuvel/python-rsa/issues/146https://github.com/sybrenstuvel/python-rsa/issues/146#issuecomment-641845667https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2KILTHBHNSDUCYV22ODLOKTICJJ7JQIQ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ZYB65VNILRBTXL6EITQTH2PZPK7I23MW/https://usn.ubuntu.com/4478-1/
2020-06-01
Published