Описание
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
A flaw was found in the python-rsa package, where it does not explicitly check the ciphertext length against the key size and ignores the leading 0 bytes during the decryption of the ciphertext. This flaw allows an attacker to perform a ciphertext attack, leading to a denial of service. The highest threat from this vulnerability is to confidentiality.
Отчет
In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP python-rsa package.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 4 | python-rsa | Affected | ||
| Red Hat OpenStack Platform 13 (Queens) | python-rsa | Will not fix | ||
| Red Hat OpenStack Platform 15 (Stein) | python-rsa | Will not fix | ||
| Red Hat OpenStack Platform 16 (Train) | python-rsa | Will not fix | ||
| Red Hat Quay 3 | python-rsa | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | python-rsa | Fixed | RHSA-2020:3541 | 27.08.2020 |
| Red Hat OpenShift Container Platform 4.5 | python-rsa | Fixed | RHSA-2020:3453 | 18.08.2020 |
Показывать по
Дополнительная информация
Статус:
7.5 High
CVSS3
Связанные уязвимости
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ...
7.5 High
CVSS3