VDB
CVE-2020-26939
CVE-2020-26939
PUBLISHED
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
EPSS 2.44% · 85.5th percentile
Risk Scores
EPSS Score
2.44%
85.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:16.04:LTS | bouncycastle | 0, 1.49+dfsg-3ubuntu1, 1.51-4ubuntu1 |
| Ubuntu:18.04:LTS | bouncycastle | 0, 1.58-1, 1.57-1 |
Exploit Intelligence
- CIRCL seen: CVE-2020-26939 (circl-sighting)
- https://github.com/bcgit/bc-java/wiki/CVE-2020-26939 (circl)
- [solr-issues] 20210525 [jira] [Created] (SOLR-15431) Security vulnerability with Bouncy Castle library within Apache Solr 8.8.2 (circl)
- suppressions_cve.xml (github-poc)
- suppressions_cve.xml (github-poc)
- suppressions_cve.xml (github-poc)
- suppressions_cve.xml (github-poc)
- suppressions_cve.xml (github-poc)
- suppressions_cve.xml (github-poc)
Timeline
- Nov 2, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- May 27, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-26939 third-party-advisory
- https://github.com/bcgit/bc-java/wiki/CVE-2020-26939 third-party-advisory
- https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-26939 third-party-advisory