SCA: security update for tlslite-ng (GHSA-wvcv-832q-fjg7)

high Tenable Cloud Security Plugin ID 420127

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- tlslite-ng is an open source python library that implements SSL and TLS cryptographic protocols. In
tlslite-ng before versions 0.7.6 and 0.8.0-alpha39, the code that performs decryption and padding check in
RSA PKCS#1 v1.5 decryption is data dependant. In particular, the code has multiple ways in which it leaks
information about the decrypted ciphertext. It aborts as soon as the plaintext doesn't start with 0x00,
0x02. All TLS servers that enable RSA key exchange as well as applications that use the RSA decryption API
directly are vulnerable. This is patched in versions 0.7.6 and 0.8.0-alpha39. Note: the patches depend on
Python processing the individual bytes in side-channel free manner, this is known to not the case (see
reference). As such, users that require side-channel resistance are recommended to use different TLS
implementations, as stated in the security policy of tlslite-ng. (CVE-2020-26263)

See Also

https://github.com/advisories/GHSA-wvcv-832q-fjg7

Plugin Details

Severity: High

ID: 420127

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 1/28/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.09

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2020-26263

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/21/2020

Vulnerability Publication Date: 12/21/2020

Reference Information

CVE: CVE-2020-26263

cwe: CWE-326