GHSA-4grx-2x9w-596c

Suggest an improvement
Source
https://github.com/advisories/GHSA-4grx-2x9w-596c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-4grx-2x9w-596c/GHSA-4grx-2x9w-596c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-4grx-2x9w-596c
Aliases
Published
2023-11-28T23:28:25Z
Modified
2023-12-15T15:11:24.159127Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Marvin Attack: potential key recovery through timing sidechannels
Details

The [Marvin Attack] is a timing sidechannel vulnerability which allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed withthe private key.

A recent survey of RSA implementations found that the Rust rsa crate is one of many implementations vulnerable to this attack.

No fixed version is available at this time.

References

Affected packages

crates.io / rsa

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.9.6