CVE-2022-29185

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-29185

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-29185.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-29185

Aliases

Published

2022-05-20T20:15:10Z

Modified

2024-05-14T11:48:55.639195Z

Severity

4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless. Starting with patched version 1.1.0, the library uses constant-time comparison. There are currently no known workarounds.

References

Affected packages

Git / github.com/constantoine/totp-rs

Affected ranges

Type: GIT
Repo: https://github.com/constantoine/totp-rs
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

7ecdf7d440fc2fb452d7664a5f2484067fe4ef05

Affected versions

v0.*

v0.7.1

v0.7.3

v0.7.4

v1.*

v1.0