Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTcybTUtZnZ2di01NW02
Observable Differences in Behavior to Error Inputs in Bouncy Castle
In Legion of the Bouncy Castle BC before 1.55 and BC-FJA before 1.0.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
Permalink: https://github.com/advisories/GHSA-72m5-fvvv-55m6JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTcybTUtZnZ2di01NW02
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 10 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-72m5-fvvv-55m6, CVE-2020-26939
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-26939
- https://github.com/bcgit/bc-java/commit/930f8b274c4f1f3a46e68b5441f1e7fadb57e8c1
- https://github.com/bcgit/bc-java/wiki/CVE-2020-26939
- https://lists.debian.org/debian-lts-announce/2020/11/msg00007.html
- https://security.netapp.com/advisory/ntap-20201202-0005/
- https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e@%3Cissues.solr.apache.org%3E
- https://github.com/advisories/GHSA-72m5-fvvv-55m6
Affected Packages
maven:org.bouncycastle:bc-fips
Versions: < 1.0.2Fixed in: 1.0.2
maven:org.bouncycastle:bcprov-jdk16
Versions: < 1.61Fixed in: 1.61
maven:org.bouncycastle:bcprov-jdk15
Versions: < 1.61Fixed in: 1.61
maven:org.bouncycastle:bcprov-jdk14
Versions: < 1.61Fixed in: 1.61