CVE-2020-25658 (Medium) detected in rsa-4.0-py2.py3-none-any.whl

[mend-bolt-for-github]

CVE-2020-25658 - Medium Severity Vulnerability

Vulnerable Library - rsa-4.0-py2.py3-none-any.whl

Pure-Python RSA implementation

Library home page: https://files.pythonhosted.org/packages/02/e5/38518af393f7c214357079ce67a317307936896e961e35450b70fad2a9cf/rsa-4.0-py2.py3-none-any.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy:

• google_cloud_firestore-1.4.0-py2.py3-none-any.whl (Root Library)
  • google_cloud_core-1.2.0-py2.py3-none-any.whl
    • google_api_core-1.16.0-py2.py3-none-any.whl
      • google_auth-1.11.0-py2.py3-none-any.whl
        • ❌ rsa-4.0-py2.py3-none-any.whl (Vulnerable Library)

Vulnerability Details

It was found that python-rsa is vulnerable to Bleichenbacher timing attacks. An attacker can use this flaw via the RSA decryption API to decrypt parts of the cipher text encrypted with RSA.

Publish Date: 2020-11-12

URL: CVE-2020-25658

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-xrx6-fmxq-rjj2

Release Date: 2020-11-12

Fix Resolution (rsa): 4.7

Direct dependency fix Resolution (google-cloud-firestore): 1.5.0

---

Step up your Open Source Security Game with Mend here