CVE-2020-26939 in Bouncycastle and Apache Products
Published on November 2, 2020
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
Products Associated with CVE-2020-26939
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2020-26939 are published in these products:
Exploit Probability
EPSS
2.44%
Percentile
84.96%
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.