Skip to content

CVE-2020-25659 (Medium) detected in cryptography-2.6.1-cp27-cp27mu-manylinux1_x86_64.whl, cryptography-2.9.2-cp27-cp27mu-manylinux2010_x86_64.whl #117

New issue
New issue
Open
Open
CVE-2020-25659 (Medium) detected in cryptography-2.6.1-cp27-cp27mu-manylinux1_x86_64.whl, cryptography-2.9.2-cp27-cp27mu-manylinux2010_x86_64.whl#117
Labels
security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Mar 25, 2021

CVE-2020-25659 - Medium Severity Vulnerability

Vulnerable Libraries - cryptography-2.6.1-cp27-cp27mu-manylinux1_x86_64.whl, cryptography-2.9.2-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography-2.6.1-cp27-cp27mu-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/c3/c1/cf8665c955c9393e9ff0872ba6cd3dc6f46ef915e94afcf6e0410508ca69/cryptography-2.6.1-cp27-cp27mu-manylinux1_x86_64.whl

Path to dependency file: cloud-pipeline/scripts/git-role-management/requirements.txt

Path to vulnerable library: cloud-pipeline/scripts/git-role-management/requirements.txt

Dependency Hierarchy:

  • cryptography-2.6.1-cp27-cp27mu-manylinux1_x86_64.whl (Vulnerable Library)
cryptography-2.9.2-cp27-cp27mu-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/45/f9/ee6878ab822eef403a4282c8ce80d56e3121c9576a6544377df809363b50/cryptography-2.9.2-cp27-cp27mu-manylinux2010_x86_64.whl

Path to dependency file: cloud-pipeline/pipe-cli

Path to vulnerable library: cloud-pipeline/pipe-cli,cloud-pipeline/pipe-cli/requirements.txt,cloud-pipeline/pipe-cli/requirements.txt,cloud-pipeline/pipe-cli

Dependency Hierarchy:

  • pyOpenSSL-19.0.0-py2.py3-none-any.whl (Root Library)
    • cryptography-2.9.2-cp27-cp27mu-manylinux2010_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 1db3170e0bd699acd5fec6e3fcebfa68fe86edcf

Found in base branch: develop

Vulnerability Details

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Publish Date: 2021-01-11

URL: CVE-2020-25659

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hggm-jpg3-v476

Release Date: 2020-09-17

Fix Resolution: 3.2

Metadata

Metadata

Assignees

No one assigned

    Labels

    security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions