VDB
CVE-2023-49092
CVE-2023-49092
PUBLISHED
CVSS 5.900000095367432 MEDIUM
RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.
EPSS 0.73% · 73.1th percentile
Risk Scores
CVSS v3.1
5.900000095367432
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.73%
73.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| rustcrypto | rsa | |
| RustCrypto | RSA | *, <= 0.9.5 |
| crates.io | rsa | 0, 0 |
Timeline
- Nov 22, 2023 CVE Published
- Nov 29, 2023 EPSS Score
- Dec 29, 2023 EPSS Score
- Jan 27, 2024 EPSS Score
- Feb 26, 2024 EPSS Score
- Mar 27, 2024 EPSS Score
- Apr 25, 2024 EPSS Score
- May 25, 2024 EPSS Score
- Jun 24, 2024 EPSS Score
- Aug 22, 2024 EPSS Score
- Sep 21, 2024 EPSS Score
- Oct 5, 2024 Coalition ESS Score
References
- https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr url
- https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643 url
- https://nvd.nist.gov/vuln/detail/CVE-2023-49092 advisory
- https://github.com/RustCrypto/RSA package
- https://rustsec.org/advisories/RUSTSEC-2023-0071.html url
- https://github.com/RustCrypto/RSA/issues/626 url