GHSA-8vxv-2g8p-2249

Suggest an improvement
Source
https://github.com/advisories/GHSA-8vxv-2g8p-2249
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-8vxv-2g8p-2249/GHSA-8vxv-2g8p-2249.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-8vxv-2g8p-2249
Aliases
Published
2022-05-24T21:33:15Z
Modified
2023-11-08T04:09:09.176539Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Observable Timing Discrepancy in totp-rs
Details

Impact

Token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless.

Patches

Library now used constant-time comparison.

Workarounds

No.

For more information

If you have any questions or comments about this advisory: * Open an issue in totp-rs * Email us at cleo.rebert@gmail.com

Database specific
{
    "nvd_published_at": "2022-05-20T20:15:00Z",
    "cwe_ids": [
        "CWE-203",
        "CWE-208"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-24T21:33:15Z"
}
References

Affected packages

crates.io / totp-rs

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.0

Ecosystem specific

{
    "affected_functions": [
        "totp_rs::TOTP::check"
    ]
}