OMGeeky/advisory-db
1
0
Fork 0
mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-27 06:29:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Possible timing attack in totp-rs (#1229)

Browse Source 
* Create RUSTSEC-0000-0000.md

* Fix [affected.functions]
This commit is contained in:
Cléo Rebert
2022-05-09 20:03:01 +02:00
committed by GitHub
parent 2875efb2f1
commit fa5b6696cf
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
crates/totp-rs/RUSTSEC-0000-0000.md Normal file
View File

@@ -0,0 +1,23 @@
```toml
[advisory]
id = "RUSTSEC-0000-0000"
package = "totp-rs"
date = "2022-05-09"
url = "https://github.com/constantoine/totp-rs/security/advisories/GHSA-8vxv-2g8p-2249"
categories = ["crypto-failure"]
cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N"
keywords = ["side-channel", "timing-attack"]
aliases = ["CVE-2022-29185"]
[affected.functions]
"totp_rs::TOTP::check" = ["< 1.1.0"]
[versions]
patched = [">= 1.1.0"]
```
# Timing attack
Affecting versions did not compare tokens in constant time, which could make it possible for an attacker to guess the 2fa token of a user.
This has been fixed by using using the crate constant_time_eq for comparison.