Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTcybTUtZnZ2di01NW02
Observable Differences in Behavior to Error Inputs in Bouncy Castle
In Legion of the Bouncy Castle BC before 1.55 and BC-FJA before 1.0.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
Permalink: https://github.com/advisories/GHSA-72m5-fvvv-55m6JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTcybTUtZnZ2di01NW02
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 3 years ago
Updated: 10 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00071
EPSS Percentile: 0.33011
Identifiers: GHSA-72m5-fvvv-55m6, CVE-2020-26939
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-26939
- https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1
- https://github.com/bcgit/bc-java/wiki/CVE-2020-26939
- https://lists.debian.org/debian-lts-announce/2020/11/msg00007.html
- https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E
- https://security.netapp.com/advisory/ntap-20201202-0005
- https://github.com/advisories/GHSA-72m5-fvvv-55m6
Blast Radius: 22.7
Affected Packages
maven:org.bouncycastle:bcprov-jdk15to18
Dependent packages: 187Dependent repositories: 341
Downloads:
Affected Version Ranges: < 1.61
Fixed in: 1.61
All affected versions:
All unaffected versions: 1.78.1
maven:org.bouncycastle:bcprov-jdk15on
Dependent packages: 3,304Dependent repositories: 18,945
Downloads:
Affected Version Ranges: < 1.61
Fixed in: 1.61
All affected versions:
All unaffected versions: 1.65.1
maven:org.bouncycastle:bcprov-ext-jdk16
Dependent packages: 16Dependent repositories: 147
Downloads:
Affected Version Ranges: < 1.61
Fixed in: 1.61
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-ext-jdk15on
Dependent packages: 261Dependent repositories: 1,160
Downloads:
Affected Version Ranges: < 1.61
Fixed in: 1.61
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bc-fips
Dependent packages: 50Dependent repositories: 550
Downloads:
Affected Version Ranges: < 1.0.2
Fixed in: 1.0.2
All affected versions: 1.0.0, 1.0.1
All unaffected versions: 1.0.2, 2.0.0
maven:org.bouncycastle:bcprov-jdk16
Dependent packages: 563Dependent repositories: 6,549
Downloads:
Affected Version Ranges: < 1.61
Fixed in: 1.61
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk15
Dependent packages: 104Dependent repositories: 985
Downloads:
Affected Version Ranges: < 1.61
Fixed in: 1.61
All affected versions:
All unaffected versions:
maven:org.bouncycastle:bcprov-jdk14
Dependent packages: 33Dependent repositories: 201
Downloads:
Affected Version Ranges: < 1.61
Fixed in: 1.61
All affected versions:
All unaffected versions: 1.78.1