VDB
PYSEC-2020-99
PYSEC-2020-99
PUBLISHED
Python-RSA before 4.1 ignores leading '\0' bytes during decryption of ciphertext. This could conceivably have a security-relevant impact, e.g., by helping an attacker to infer that an application uses Python-RSA, or if the length of accepted ciphertext affects application behavior (such as by causing excessive memory allocation).
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | rsa | 1.1, 1.3, 1.3.1 |
Timeline
- Jun 1, 2020 CVE Published
- Nov 8, 2023 CVE Updated
References
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KILTHBHNSDUCYV22ODLOKTICJJ7JQIQ/ url
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZYB65VNILRBTXL6EITQTH2PZPK7I23MW/ url
- https://github.com/advisories/GHSA-537h-rv9q-vvph advisory
- https://usn.ubuntu.com/4478-1/ advisory
- https://github.com/sybrenstuvel/python-rsa/issues/146 discussion
- https://github.com/sybrenstuvel/python-rsa/issues/146#issuecomment-641845667 discussion