{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35696?format=json","vulnerability_id":"VCID-5ju3-cs33-8ygx","summary":"tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding check in RSA PKCS#1 v1.5 decryption is data dependant. In particular, the code has multiple ways in which it leaks information about the decrypted ciphertext. It aborts as soon as the plaintext doesn't start with 0x00, 0x02. All TLS servers that enable RSA key exchange as well as applications that use the RSA decryption API directly are vulnerable. This is patched in versions 0.7.6 and 0.8.0-alpha39. Note: the patches depend on Python processing the individual bytes in side-channel free manner, this is known to not the case (see reference). As such, users that require side-channel resistance are recommended to use different TLS implementations, as stated in the security policy of tlslite-ng.","aliases":[{"alias":"CVE-2020-26263"},{"alias":"GHSA-wvcv-832q-fjg7"},{"alias":"PYSEC-2020-143"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19366?format=json","purl":"pkg:pypi/tlslite-ng@0.7.6","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.6"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/11382?format=json","purl":"pkg:pypi/tlslite-ng@0.5.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.5.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/11383?format=json","purl":"pkg:pypi/tlslite-ng@0.5.0b2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.5.0b2"},{"url":"http://public2.vulnerablecode.io/api/packages/11384?format=json","purl":"pkg:pypi/tlslite-ng@0.5.0b3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.5.0b3"},{"url":"http://public2.vulnerablecode.io/api/packages/11385?format=json","purl":"pkg:pypi/tlslite-ng@0.5.0b4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.5.0b4"},{"url":"http://public2.vulnerablecode.io/api/packages/11386?format=json","purl":"pkg:pypi/tlslite-ng@0.5.0b5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.5.0b5"},{"url":"http://public2.vulnerablecode.io/api/packages/11387?format=json","purl":"pkg:pypi/tlslite-ng@0.5.0b6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.5.0b6"},{"url":"http://public2.vulnerablecode.io/api/packages/11388?format=json","purl":"pkg:pypi/tlslite-ng@0.5.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.5.0"},{"url":"http://public2.vulnerablecode.io/api/packages/11389?format=json","purl":"pkg:pypi/tlslite-ng@0.5.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.5.1"},{"url":"http://public2.vulnerablecode.io/api/packages/11390?format=json","purl":"pkg:pypi/tlslite-ng@0.5.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.5.2"},{"url":"http://public2.vulnerablecode.io/api/packages/11391?format=json","purl":"pkg:pypi/tlslite-ng@0.6.0a1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.6.0a1"},{"url":"http://public2.vulnerablecode.io/api/packages/11392?format=json","purl":"pkg:pypi/tlslite-ng@0.6.0a2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.6.0a2"},{"url":"http://public2.vulnerablecode.io/api/packages/11393?format=json","purl":"pkg:pypi/tlslite-ng@0.6.0a3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.6.0a3"},{"url":"http://public2.vulnerablecode.io/api/packages/11394?format=json","purl":"pkg:pypi/tlslite-ng@0.6.0a4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.6.0a4"},{"url":"http://public2.vulnerablecode.io/api/packages/11395?format=json","purl":"pkg:pypi/tlslite-ng@0.6.0a5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.6.0a5"},{"url":"http://public2.vulnerablecode.io/api/packages/11396?format=json","purl":"pkg:pypi/tlslite-ng@0.6.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.6.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/11397?format=json","purl":"pkg:pypi/tlslite-ng@0.6.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.6.0"},{"url":"http://public2.vulnerablecode.io/api/packages/11398?format=json","purl":"pkg:pypi/tlslite-ng@0.7.0a1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.0a1"},{"url":"http://public2.vulnerablecode.io/api/packages/11399?format=json","purl":"pkg:pypi/tlslite-ng@0.7.0a2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.0a2"},{"url":"http://public2.vulnerablecode.io/api/packages/11400?format=json","purl":"pkg:pypi/tlslite-ng@0.7.0a3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.0a3"},{"url":"http://public2.vulnerablecode.io/api/packages/11401?format=json","purl":"pkg:pypi/tlslite-ng@0.7.0a4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.0a4"},{"url":"http://public2.vulnerablecode.io/api/packages/11402?format=json","purl":"pkg:pypi/tlslite-ng@0.7.0a5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.0a5"},{"url":"http://public2.vulnerablecode.io/api/packages/11403?format=json","purl":"pkg:pypi/tlslite-ng@0.7.0a6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.0a6"},{"url":"http://public2.vulnerablecode.io/api/packages/11404?format=json","purl":"pkg:pypi/tlslite-ng@0.7.0a7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.0a7"},{"url":"http://public2.vulnerablecode.io/api/packages/11405?format=json","purl":"pkg:pypi/tlslite-ng@0.7.0a8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.0a8"},{"url":"http://public2.vulnerablecode.io/api/packages/11406?format=json","purl":"pkg:pypi/tlslite-ng@0.7.0a9","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.0a9"},{"url":"http://public2.vulnerablecode.io/api/packages/11407?format=json","purl":"pkg:pypi/tlslite-ng@0.7.0b1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.0b1"},{"url":"http://public2.vulnerablecode.io/api/packages/11408?format=json","purl":"pkg:pypi/tlslite-ng@0.7.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.0"},{"url":"http://public2.vulnerablecode.io/api/packages/11409?format=json","purl":"pkg:pypi/tlslite-ng@0.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/11410?format=json","purl":"pkg:pypi/tlslite-ng@0.7.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.2"},{"url":"http://public2.vulnerablecode.io/api/packages/11411?format=json","purl":"pkg:pypi/tlslite-ng@0.7.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"},{"vulnerability":"VCID-q2yu-yvd5-sbhs"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.3"},{"url":"http://public2.vulnerablecode.io/api/packages/11412?format=json","purl":"pkg:pypi/tlslite-ng@0.7.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.4"},{"url":"http://public2.vulnerablecode.io/api/packages/19365?format=json","purl":"pkg:pypi/tlslite-ng@0.7.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5ju3-cs33-8ygx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/tlslite-ng@0.7.5"}],"references":[{"reference_url":"https://github.com/tlsfuzzer/tlslite-ng/commit/c28d6d387bba59d8bd5cb3ba15edc42edf54b368","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/tlsfuzzer/tlslite-ng/commit/c28d6d387bba59d8bd5cb3ba15edc42edf54b368"},{"reference_url":"https://github.com/tlsfuzzer/tlslite-ng/pull/438","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/tlsfuzzer/tlslite-ng/pull/438"},{"reference_url":"https://github.com/tlsfuzzer/tlslite-ng/pull/439","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/tlsfuzzer/tlslite-ng/pull/439"},{"reference_url":"https://github.com/tlsfuzzer/tlslite-ng/security/advisories/GHSA-wvcv-832q-fjg7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/tlsfuzzer/tlslite-ng/security/advisories/GHSA-wvcv-832q-fjg7"},{"reference_url":"https://pypi.org/project/tlslite-ng/","reference_id":"","reference_type":"","scores":[],"url":"https://pypi.org/project/tlslite-ng/"},{"reference_url":"https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/","reference_id":"","reference_type":"","scores":[],"url":"https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/"}],"weaknesses":[],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5ju3-cs33-8ygx"}