Fluid Attacks Database

Description

python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python-cryptography	>=0 <3.2.1-1	3.2.1-1
pypi	cryptography	>=0 <3.2	3.2
alpine v3.13	py3-cryptography	=0.6.1-r0 \|\| =0.8.2-r0 \|\| =1.0.2-r0 \|\| =1.3.1-r0 \|\| =1.3.2-r0 \|\| =1.4-r0 \|\| =1.4-r1 \|\| =1.4-r2 \|\| =1.5.2-r0 \|\| =1.5.2-r1 \|\| =1.5.3-r0 \|\| =1.7.2-r0 \|\| =1.7.2-r1 \|\| =1.8.1-r0 \|\| =1.8.1-r1 \|\| =1.9-r0 \|\| =2.0.2-r0 \|\| =2.0.3-r0 \|\| =2.0.3-r1 \|\| =2.1.3-r0 \|\| =2.1.4-r0 \|\| =2.1.4-r1 \|\| =2.2.2-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.4.2-r0 \|\| =2.4.2-r1 \|\| =2.4.2-r2 \|\| =2.5-r0 \|\| =2.6.1-r0 \|\| =2.6.1-r1 \|\| =2.7-r0 \|\| =2.7-r1 \|\| =2.8-r0 \|\| =2.8-r1 \|\| =2.9-r0 \|\| =2.9.2-r0 \|\| >=0 <3.2.1-r0	3.2.1-r0
alpine v3.14	py3-cryptography	=0.6.1-r0 \|\| =0.8.2-r0 \|\| =1.0.2-r0 \|\| =1.3.1-r0 \|\| =1.3.2-r0 \|\| =1.4-r0 \|\| =1.4-r1 \|\| =1.4-r2 \|\| =1.5.2-r0 \|\| =1.5.2-r1 \|\| =1.5.3-r0 \|\| =1.7.2-r0 \|\| =1.7.2-r1 \|\| =1.8.1-r0 \|\| =1.8.1-r1 \|\| =1.9-r0 \|\| =2.0.2-r0 \|\| =2.0.3-r0 \|\| =2.0.3-r1 \|\| =2.1.3-r0 \|\| =2.1.4-r0 \|\| =2.1.4-r1 \|\| =2.2.2-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.4.2-r0 \|\| =2.4.2-r1 \|\| =2.4.2-r2 \|\| =2.5-r0 \|\| =2.6.1-r0 \|\| =2.6.1-r1 \|\| =2.7-r0 \|\| =2.7-r1 \|\| =2.8-r0 \|\| =2.8-r1 \|\| =2.9-r0 \|\| =2.9.2-r0 \|\| >=0 <3.2.1-r0	3.2.1-r0
debian 12	python-cryptography	>=0 <3.2.1-1	3.2.1-1
debian 13	python-cryptography	>=0 <3.2.1-1	3.2.1-1
debian 14	python-cryptography	>=0 <3.2.1-1	3.2.1-1
alpine v3.23	py3-cryptography	=0.6.1-r0 \|\| =0.8.2-r0 \|\| =1.0.2-r0 \|\| =1.3.1-r0 \|\| =1.3.2-r0 \|\| =1.4-r0 \|\| =1.4-r1 \|\| =1.4-r2 \|\| =1.5.2-r0 \|\| =1.5.2-r1 \|\| =1.5.3-r0 \|\| =1.7.2-r0 \|\| =1.7.2-r1 \|\| =1.8.1-r0 \|\| =1.8.1-r1 \|\| =1.9-r0 \|\| =2.0.2-r0 \|\| =2.0.3-r0 \|\| =2.0.3-r1 \|\| =2.1.3-r0 \|\| =2.1.4-r0 \|\| =2.1.4-r1 \|\| =2.2.2-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.4.2-r0 \|\| =2.4.2-r1 \|\| =2.4.2-r2 \|\| =2.5-r0 \|\| =2.6.1-r0 \|\| =2.6.1-r1 \|\| =2.7-r0 \|\| =2.7-r1 \|\| =2.8-r0 \|\| =2.8-r1 \|\| =2.9-r0 \|\| =2.9.2-r0 \|\| >=0 <3.2.1-r0	3.2.1-r0
rpm rhel8	python-cryptography	<0:3.2.1-4.el8	0:3.2.1-4.el8
rpm rhel7	python-cryptography	-	-

Aliases

1. CVE-2020-256592. NVD-2020-256593. OSV-DEBIAN-2020-256594. OSV-2020-256595. OSV-ALPINE-2020-256596. GHSA-hggm-jpg3-v4767. GCVE-2020-256598. SECURITY-TRACKER-CVE-2020-256599. SECURITY-CVE-2020-25659

References

1. https://github.com/pyca/cryptography/security/advisories/GHSA-hggm-jpg3-v4762. https://github.com/pyca/cryptography/pull/55073. https://github.com/pyca/cryptography/commit/58494b41d6ecb0f56b7c5f05d5f5e3ca0320d4944. https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2021-62.yaml5. https://pypi.org/project/cryptography6. https://www.oracle.com/security-alerts/cpuapr2022.html7. https://www.oracle.com/security-alerts/cpujul2022.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.