Vulnerability-Lookup

CVE-2023-49092 (GCVE-0-2023-49092)

Vulnerability from cvelistv5 – Published: 2023-11-28 20:57 – Updated: 2024-11-27 16:03

Title

RustCrypto/RSA vulnerable to a Marvin Attack via key recovery through timing sidechannels

Summary

RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.

Severity ?

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-385 - Covert Timing Channel

Assigner

GitHub_M

References

URL

Tags

	https://github.com/RustCrypto/RSA/security/adviso…	x_refsource_CONFIRM
	https://github.com/RustCrypto/RSA/issues/19#issue…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	RustCrypto	RSA	Affected: <= 0.9.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T21:46:28.810Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr"
          },
          {
            "name": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-49092",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-27T16:03:39.720474Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-27T16:03:51.520Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "RSA",
          "vendor": "RustCrypto",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 0.9.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-385",
              "description": "CWE-385: Covert Timing Channel",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-12-14T22:50:31.056Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr"
        },
        {
          "name": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643"
        }
      ],
      "source": {
        "advisory": "GHSA-c38w-74pg-36hr",
        "discovery": "UNKNOWN"
      },
      "title": "RustCrypto/RSA vulnerable to a Marvin Attack via key recovery through timing sidechannels"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-49092",
    "datePublished": "2023-11-28T20:57:06.739Z",
    "dateReserved": "2023-11-21T18:57:30.429Z",
    "dateUpdated": "2024-11-27T16:03:51.520Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rustcrypto:rsa:*:*:*:*:*:rust:*:*\", \"matchCriteriaId\": \"248AAFCD-E795-48F3-AC41-468B1E2EB267\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.\"}, {\"lang\": \"es\", \"value\": \"RustCrypto/RSA es una implementaci\\u00f3n RSA port\\u00e1til en Rust puro. Debido a una implementaci\\u00f3n de tiempo no constante, la informaci\\u00f3n sobre la clave privada se filtra a trav\\u00e9s de informaci\\u00f3n de tiempo que es observable en la red. Un atacante puede utilizar esa informaci\\u00f3n para recuperar la clave. Actualmente no hay ninguna soluci\\u00f3n disponible. Como workaround, evite utilizar la caja RSA en entornos donde los atacantes puedan observar informaci\\u00f3n de tiempo, por ejemplo, el uso local en una maquina no comprometida.\"}]",
      "id": "CVE-2023-49092",
      "lastModified": "2024-11-21T08:32:48.380",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 5.9, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.2, \"impactScore\": 3.6}]}",
      "published": "2023-11-28T21:15:08.530",
      "references": "[{\"url\": \"https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\"]}, {\"url\": \"https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-385\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-203\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-49092\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-11-28T21:15:08.530\",\"lastModified\":\"2024-11-21T08:32:48.380\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.\"},{\"lang\":\"es\",\"value\":\"RustCrypto/RSA es una implementaci\u00f3n RSA port\u00e1til en Rust puro. Debido a una implementaci\u00f3n de tiempo no constante, la informaci\u00f3n sobre la clave privada se filtra a trav\u00e9s de informaci\u00f3n de tiempo que es observable en la red. Un atacante puede utilizar esa informaci\u00f3n para recuperar la clave. Actualmente no hay ninguna soluci\u00f3n disponible. Como workaround, evite utilizar la caja RSA en entornos donde los atacantes puedan observar informaci\u00f3n de tiempo, por ejemplo, el uso local en una maquina no comprometida.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.2,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-385\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-203\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rustcrypto:rsa:*:*:*:*:*:rust:*:*\",\"matchCriteriaId\":\"248AAFCD-E795-48F3-AC41-468B1E2EB267\"}]}]}],\"references\":[{\"url\":\"https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\"]},{\"url\":\"https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr\", \"name\": \"https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643\", \"name\": \"https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T21:46:28.810Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-49092\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-27T16:03:39.720474Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-27T16:03:45.506Z\"}}], \"cna\": {\"title\": \"RustCrypto/RSA vulnerable to a Marvin Attack via key recovery through timing sidechannels\", \"source\": {\"advisory\": \"GHSA-c38w-74pg-36hr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"RustCrypto\", \"product\": \"RSA\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 0.9.5\"}]}], \"references\": [{\"url\": \"https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr\", \"name\": \"https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643\", \"name\": \"https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-385\", \"description\": \"CWE-385: Covert Timing Channel\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-12-14T22:50:31.056Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-49092\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-27T16:03:51.520Z\", \"dateReserved\": \"2023-11-21T18:57:30.429Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-11-28T20:57:06.739Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-C38W-74PG-36HR

Vulnerability from github – Published: 2023-11-28 23:28 – Updated: 2023-12-14 22:50

Summary

Marvin Attack: potential key recovery through timing sidechannels

Details

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

https://rustsec.org/advisories/RUSTSEC-2023-0071.html
https://people.redhat.com/~hkario/marvin/
https://github.com/RustCrypto/RSA/issues/19

Severity ?

5.9 (Medium)


                  
                    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rsa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-385"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T23:28:27Z",
    "nvd_published_at": "2023-11-28T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nDue to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.\n\n### Patches\nNo patch is yet available, however work is underway to migrate to a fully constant-time implementation.\n\n### Workarounds\nThe only currently available workaround is to avoid using the `rsa` crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.\n\n### References\nThis vulnerability was discovered as part of the \"Marvin Attack\", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.\n\n- https://rustsec.org/advisories/RUSTSEC-2023-0071.html\n- https://people.redhat.com/~hkario/marvin/\n- https://github.com/RustCrypto/RSA/issues/19",
  "id": "GHSA-c38w-74pg-36hr",
  "modified": "2023-12-14T22:50:18Z",
  "published": "2023-11-28T23:28:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49092"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RustCrypto/RSA"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0071.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Marvin Attack: potential key recovery through timing sidechannels"
}

OPENSUSE-SU-2024:13542-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

cargo-audit-advisory-db-20231219-1.1 on GA media

Notes

Title of the patch

cargo-audit-advisory-db-20231219-1.1 on GA media

Description of the patch

These are all security issues fixed in the cargo-audit-advisory-db-20231219-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-13542

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "cargo-audit-advisory-db-20231219-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the cargo-audit-advisory-db-20231219-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13542",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13542-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-49092 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-49092/"
      }
    ],
    "title": "cargo-audit-advisory-db-20231219-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13542-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-advisory-db-20231219-1.1.aarch64",
                "product": {
                  "name": "cargo-audit-advisory-db-20231219-1.1.aarch64",
                  "product_id": "cargo-audit-advisory-db-20231219-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-advisory-db-20231219-1.1.ppc64le",
                "product": {
                  "name": "cargo-audit-advisory-db-20231219-1.1.ppc64le",
                  "product_id": "cargo-audit-advisory-db-20231219-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-advisory-db-20231219-1.1.s390x",
                "product": {
                  "name": "cargo-audit-advisory-db-20231219-1.1.s390x",
                  "product_id": "cargo-audit-advisory-db-20231219-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cargo-audit-advisory-db-20231219-1.1.x86_64",
                "product": {
                  "name": "cargo-audit-advisory-db-20231219-1.1.x86_64",
                  "product_id": "cargo-audit-advisory-db-20231219-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-advisory-db-20231219-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.aarch64"
        },
        "product_reference": "cargo-audit-advisory-db-20231219-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-advisory-db-20231219-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.ppc64le"
        },
        "product_reference": "cargo-audit-advisory-db-20231219-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-advisory-db-20231219-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.s390x"
        },
        "product_reference": "cargo-audit-advisory-db-20231219-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cargo-audit-advisory-db-20231219-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.x86_64"
        },
        "product_reference": "cargo-audit-advisory-db-20231219-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-49092",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-49092"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.aarch64",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.ppc64le",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.s390x",
          "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-49092",
          "url": "https://www.suse.com/security/cve/CVE-2023-49092"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1217629 for CVE-2023-49092",
          "url": "https://bugzilla.suse.com/1217629"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.aarch64",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.ppc64le",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.s390x",
            "openSUSE Tumbleweed:cargo-audit-advisory-db-20231219-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-49092"
    }
  ]
}

FKIE_CVE-2023-49092

Vulnerability from fkie_nvd - Published: 2023-11-28 21:15 - Updated: 2024-11-21 08:32

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643	Issue Tracking
security-advisories@github.com	https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643	Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr	Vendor Advisory

Impacted products

	Vendor	Product	Version
	rustcrypto	rsa	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rustcrypto:rsa:*:*:*:*:*:rust:*:*",
              "matchCriteriaId": "248AAFCD-E795-48F3-AC41-468B1E2EB267",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer."
    },
    {
      "lang": "es",
      "value": "RustCrypto/RSA es una implementaci\u00f3n RSA port\u00e1til en Rust puro. Debido a una implementaci\u00f3n de tiempo no constante, la informaci\u00f3n sobre la clave privada se filtra a trav\u00e9s de informaci\u00f3n de tiempo que es observable en la red. Un atacante puede utilizar esa informaci\u00f3n para recuperar la clave. Actualmente no hay ninguna soluci\u00f3n disponible. Como workaround, evite utilizar la caja RSA en entornos donde los atacantes puedan observar informaci\u00f3n de tiempo, por ejemplo, el uso local en una maquina no comprometida."
    }
  ],
  "id": "CVE-2023-49092",
  "lastModified": "2024-11-21T08:32:48.380",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-11-28T21:15:08.530",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-385"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-203"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2023-49092

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-49092

Aliases

CVE-2023-49092

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-49092",
    "id": "GSD-2023-49092"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-49092"
      ],
      "details": "RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.",
      "id": "GSD-2023-49092",
      "modified": "2023-12-13T01:20:35.039001Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-49092",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "RSA",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c= 0.9.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "RustCrypto"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-385",
                "lang": "eng",
                "value": "CWE-385: Covert Timing Channel"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr",
            "refsource": "MISC",
            "url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr"
          },
          {
            "name": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643",
            "refsource": "MISC",
            "url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-c38w-74pg-36hr",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:rustcrypto:rsa:*:*:*:*:*:rust:*:*",
                    "matchCriteriaId": "248AAFCD-E795-48F3-AC41-468B1E2EB267",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer."
          },
          {
            "lang": "es",
            "value": "RustCrypto/RSA es una implementaci\u00f3n RSA port\u00e1til en Rust puro. Debido a una implementaci\u00f3n de tiempo no constante, la informaci\u00f3n sobre la clave privada se filtra a trav\u00e9s de informaci\u00f3n de tiempo que es observable en la red. Un atacante puede utilizar esa informaci\u00f3n para recuperar la clave. Actualmente no hay ninguna soluci\u00f3n disponible. Como workaround, evite utilizar la caja RSA en entornos donde los atacantes puedan observar informaci\u00f3n de tiempo, por ejemplo, el uso local en una maquina no comprometida."
          }
        ],
        "id": "CVE-2023-49092",
        "lastModified": "2023-12-28T18:54:22.443",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 2.2,
              "impactScore": 3.6,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2023-11-28T21:15:08.530",
        "references": [
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Issue Tracking"
            ],
            "url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-203"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-385"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-49092 (GCVE-0-2023-49092)

GHSA-C38W-74PG-36HR

Impact

Patches

Workarounds

References

OPENSUSE-SU-2024:13542-1

FKIE_CVE-2023-49092

GSD-2023-49092

Tags

Sightings

Nomenclature