CVE-2023-45287 — Vulnetix

Try Vulnetix Request Demo

CVE-2023-45287 PUBLISHED

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.

EPSS 0.19% · 40.1th percentile

Risk Scores

EPSS Score

0.19%

40.1th percentile

Affected Products

Vendor	Product	Versions
Bitnami	golang	0
Bitnami	golang	0

Timeline

Dec 5, 2023 CVE Published
Dec 6, 2023 EPSS Score
Jan 4, 2024 EPSS Score
Feb 2, 2024 EPSS Score
Mar 2, 2024 EPSS Score
Mar 31, 2024 EPSS Score
Apr 29, 2024 EPSS Score
May 28, 2024 EPSS Score
Jun 26, 2024 EPSS Score
Aug 22, 2024 EPSS Score
Sep 20, 2024 EPSS Score
Oct 19, 2024 EPSS Score

References

Open in Interactive Console →