Lucene search

AmazonALAS2-2023-2150

HistoryJul 17, 2023 - 5:40 p.m.

Medium: python-rsa

2023-07-1717:40:00

alas.aws.amazon.com

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

5.9 Medium

AI Score

Confidence

High

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

0.002 Low

EPSS

Percentile

60.6%

JSON

Issue Overview:

A flaw was found in python-rsa, where it is vulnerable to Bleichenbacher timing attacks. This flaw allows an attacker, via the RSA decryption API, to decrypt parts of the ciphertext encrypted with RSA. The highest threat from this vulnerability is to confidentiality. (CVE-2020-25658)

Affected Packages:

python-rsa

Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.

Issue Correction:
Run yum update python-rsa to update your system.

New Packages:

noarch:  
    python2-rsa-3.4.1-1.amzn2.0.4.noarch  
    python3-rsa-3.4.1-1.amzn2.0.4.noarch  
  
src:  
    python-rsa-3.4.1-1.amzn2.0.4.src

Additional References

Red Hat: CVE-2020-25658

Mitre: CVE-2020-25658

OSVersionArchitecturePackageVersionFilename
Amazon Linux2noarchpython2-rsa< 3.4.1-1.amzn2.0.4python2-rsa-3.4.1-1.amzn2.0.4.noarch.rpm
Amazon Linux2noarchpython3-rsa< 3.4.1-1.amzn2.0.4python3-rsa-3.4.1-1.amzn2.0.4.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	2	noarch	python2-rsa	< 3.4.1-1.amzn2.0.4	python2-rsa-3.4.1-1.amzn2.0.4.noarch.rpm
Amazon Linux	2	noarch	python3-rsa	< 3.4.1-1.amzn2.0.4	python3-rsa-3.4.1-1.amzn2.0.4.noarch.rpm