CVE-2020-26939

{"id": "CVE-2020-26939", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2020-11-02T22:15:13.393", "references": [{"url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-26939", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3E", "source": "cve@mitre.org"}, {"url": "https://github.com/bcgit/bc-java/wiki/CVE-2020-26939", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.apache.org/thread.html/r8c36ba34e80e05eecb1f80071cc834d705616f315b634ec0c7d8f42e%40%3Cissues.solr.apache.org%3E", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption."}, {"lang": "es", "value": "En Legion of the Bouncy Castle BC versiones anteriores a 1.61 y BC-FJA versiones anteriores a 1.0.1.2, los atacantes pueden obtener informaci\u00f3n confidencial sobre un exponente privado debido a las diferencias observables en el comportamiento de las entradas de error. Esto se presenta en org.bouncycastle.crypto.encodings.OAEPEncoding. El env\u00edo de texto cifrado no v\u00e1lido que es descifrado en una carga \u00fatil corta en el decodificador OAEP podr\u00eda resultar en el lanzamiento de una excepci\u00f3n temprana, filtrando potencialmente alguna informaci\u00f3n sobre el exponente privado de la clave privada RSA que realiza el cifrado"}], "lastModified": "2025-07-17T17:04:58.987", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bouncycastle:fips_java_api:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F0B7168C-AAB1-4E4D-8B38-C50C38FBF3D6", "versionEndExcluding": "1.0.1.2"}, {"criteria": "cpe:2.3:a:bouncycastle:legion-of-the-bouncy-castle:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B5ECAFEE-393F-426E-8BF8-752D09EFF9F2", "versionEndExcluding": "1.61"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}