Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2023-49092

HistoryNov 28, 2023 - 9:15 p.m.

CVE-2023-49092

2023-11-2821:15:08

Debian Security Bug Tracker

security-tracker.debian.org

cve-2023-49092

rustcrypto/rsa

portable rsa implementation

pure rust

information leakage

timing information

network observation

key recovery

fix unavailable

workaround

attacker

timing observation

rsa crate

local use

non-compromised computer

unix

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.4%

JSON

RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.

OSVersionArchitecturePackageVersionFilename
Debian999allrust-rsa<= 0.9.2-2rust-rsa_0.9.2-2_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	999	all	rust-rsa	<= 0.9.2-2	rust-rsa_0.9.2-2_all.deb

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

6.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

37.4%

JSON

Related for DEBIANCVE:CVE-2023-49092