CVE-2023-49092

RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643	Issue Tracking
https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:rustcrypto:rsa:*:*:*:*:*:rust:*:*

History

28 Dec 2023, 18:54

Type	Values Removed	Values Added
CPE	cpe:2.3:a:rust-lang:rsa::::::rust::*	cpe:2.3:a:rustcrypto:rsa::::::rust::*
First Time		Rustcrypto rsa Rustcrypto

06 Dec 2023, 18:47

Type	Values Removed	Values Added
References	~~() https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr -~~	() https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr - Vendor Advisory
References	~~() https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643 -~~	() https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643 - Issue Tracking
CPE		cpe:2.3:a:rust-lang:rsa::::::rust::*
First Time		Rust-lang rsa Rust-lang
CWE	~~CWE-385~~	CWE-203
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.9

28 Nov 2023, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-11-28 21:15

Updated : 2024-02-28 20:54

NVD link : CVE-2023-49092

Mitre link : CVE-2023-49092

CVE.ORG link : CVE-2023-49092

JSON object : View

Products Affected

rustcrypto

rsa

CWE

CWE-203

Observable Discrepancy

CWE-385

Covert Timing Channel

{"id": "CVE-2023-49092", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2023-11-28T21:15:08.530", "references": [{"url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643", "tags": ["Issue Tracking"], "source": "security-advisories@github.com"}, {"url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-385"}]}], "descriptions": [{"lang": "en", "value": "RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer."}, {"lang": "es", "value": "RustCrypto/RSA es una implementaci\u00f3n RSA port\u00e1til en Rust puro. Debido a una implementaci\u00f3n de tiempo no constante, la informaci\u00f3n sobre la clave privada se filtra a trav\u00e9s de informaci\u00f3n de tiempo que es observable en la red. Un atacante puede utilizar esa informaci\u00f3n para recuperar la clave. Actualmente no hay ninguna soluci\u00f3n disponible. Como workaround, evite utilizar la caja RSA en entornos donde los atacantes puedan observar informaci\u00f3n de tiempo, por ejemplo, el uso local en una maquina no comprometida."}], "lastModified": "2023-12-28T18:54:22.443", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rustcrypto:rsa:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "248AAFCD-E795-48F3-AC41-468B1E2EB267"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}