CVE-2023-49092

2023-11-2821:15:08

CWE-385

CWE-203

[email protected]

web.nvd.nist.gov

rustcrypto

rsa

pure rust

implementation

timing information leakage

cve-2023-49092

nvd

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.3%

JSON

RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.

Affected configurations

Vulners

NVD

Node

rustcryptorsaRange≤0.9.5

VendorProductVersionCPE
rustcryptorsa*cpe:2.3:a:rustcrypto:rsa:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rustcrypto	rsa	*	cpe:2.3:a:rustcrypto:rsa::::::::

CNA Affected

[
  {
    "vendor": "RustCrypto",
    "product": "RSA",
    "versions": [
      {
        "version": "<= 0.9.5",
        "status": "affected"
      }
    ]
  }
]