CVE-2023-50781: 
Python vulnerability analysis and mitigation

A critical security flaw (CVE-2023-50781) was discovered in m2crypto, affecting TLS servers that use RSA key exchanges. The vulnerability was disclosed on February 5, 2024, and represents an incomplete fix for a previous vulnerability (CVE-2020-25657). The flaw affects multiple versions of m2crypto across various operating systems, including Red Hat Enterprise Linux and Ubuntu distributions (NVD, Red Hat).

The vulnerability is related to Bleichenbacher timing attacks in the RSA decryption API. It has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue stems from API design limitations that make it difficult to fully address the leakage in RSA decryption. The vulnerability specifically affects applications that use RSA decryption with PKCS#1 v1.5 padding (Red Hat Bugzilla).

The vulnerability allows remote attackers to decrypt captured messages in TLS servers that utilize RSA key exchanges. This can lead to the exposure of confidential or sensitive data transmitted through affected systems. The high confidentiality impact rating indicates significant potential for unauthorized information disclosure (NVD).

The issue can be mitigated by using a cryptographic backend that implements implicit rejection (Marvin workaround). Due to the API design limitations, a complete fix is generally not believed to be possible (Red Hat Bugzilla).