CVE-2022-29185

Опубликовано: 20 мая 2022

Источник: nvd

CVSS3: 4.2

CVSS3: 4.4

CVSS2: 3.5

EPSS Низкий

Описание

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless. Starting with patched version 1.1.0, the library uses constant-time comparison. There are currently no known workarounds.

Ссылки

https://github.com/constantoine/totp-rs/issues/13
Issue Tracking
Third Party Advisory
https://github.com/constantoine/totp-rs/releases/tag/v1.1.0
Release Notes
Third Party Advisory
https://github.com/constantoine/totp-rs/security/advisories/GHSA-8vxv-2g8p-2249
Third Party Advisory
https://github.com/constantoine/totp-rs/issues/13
Issue Tracking
Third Party Advisory
https://github.com/constantoine/totp-rs/releases/tag/v1.1.0
Release Notes
Third Party Advisory
https://github.com/constantoine/totp-rs/security/advisories/GHSA-8vxv-2g8p-2249
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:totp-rs_project:totp-rs:*:*:*:*:*:rust:*:*

Версия до 1.1.0 (исключая)

EPSS

Процентиль: 58%

0.00361

Низкий

4.2 Medium

CVSS3

4.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-203

Связанные уязвимости

GHSA-8vxv-2g8p-2249

CVSS3: 4.2

github

больше 3 лет назад

Observable Timing Discrepancy in totp-rs

EPSS

Процентиль: 58%

0.00361

Низкий

4.2 Medium

CVSS3

4.4 Medium

CVSS3

3.5 Low

CVSS2

Дефекты

CWE-203