Home

CVE-2020-26939

Description

In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

Risk Information

Base Score
5.3
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
2.437

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bcprov-jdk15on 1.61Windows
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bcprov-jdk15to18 1.61Windows
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bc-fips 1.0.2Windows
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bcprov-ext-jdk15on 1.61Windows
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bcprov-ext-jdk16 1.61Windows
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bcprov-jdk16 1.61Windows
Multiple Vulnerabilities are affected in IBM Security Guardium 11.3Windows
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle - bcprov-jdk14 1.61Windows
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle - bcprov-jdk15 1.61Windows
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bcprov-jdk15on for Linux 1.61Linux
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bcprov-jdk15to18 for Linux 1.61Linux
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bc-fips for Linux 1.0.2Linux
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bcprov-ext-jdk15on for Linux 1.61Linux
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bcprov-ext-jdk16 for Linux 1.61Linux
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle-bcprov-jdk16 for Linux 1.61Linux
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle - bcprov-jdk14 for Linux 1.61Linux
Vulnerabilities CVE-2020-26939 are fixed in BouncyCastle - bcprov-jdk15 for Linux 1.61Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234