CVE-2023-49092

low-risk

Published 2023-11-28

RustCrypto/RSA is a portable RSA implementation in pure Rust. Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key. There is currently no fix available. As a workaround, avoid using the RSA crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer.

Do I need to act?

0.73% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Rsa

Affected Vendors

Rustcrypto

References (4)

Issue Tracking https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643

Vendor Advisory https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr

Issue Tracking https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643

Vendor Advisory https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr

/ 100

low-risk

Severity 18/34 · Moderate

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal