CVE-2020-25659: 
Python vulnerability analysis and mitigation

Python-cryptography version 3.2 was found to be vulnerable to Bleichenbacher timing attacks in the RSA decryption API. The vulnerability was discovered in 2020 and assigned identifier CVE-2020-25659. The vulnerability affects the RSA decryption functionality through timed processing of valid PKCS#1 v1.5 ciphertext (NVD, CVE).

The vulnerability exists in the RSA decryption API implementation where it is susceptible to timing-based Bleichenbacher attacks when processing valid PKCS#1 v1.5 ciphertext. The vulnerability has a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating it is network accessible but requires high attack complexity (NVD).

A successful exploitation of this vulnerability could allow an attacker to obtain information through timing analysis of RSA decryption operations. The vulnerability primarily affects confidentiality, with potential for exposing sensitive information processed through the RSA decryption API (NVD).

The vulnerability was fixed in python-cryptography version 3.3.2. Users should upgrade to this or later versions. The fix attempts to make RSA PKCS#1v1.5 decryption more constant time to protect against Bleichenbacher vulnerabilities (Debian, GitHub Patch).

The vulnerability was reported by Hubert Kario and was acknowledged as a significant security issue in the python-cryptography library. The maintainers noted that due to API limitations, they could not completely mitigate this vulnerability and indicated that a future release would contain a new API designed to be more resilient to these types of attacks (GitHub Patch).