Reported

May 9, 2022

Issued

May 9, 2022 (last modified: June 13, 2023)

Package

totp-rs (crates.io)

Type

Vulnerability

Categories

• crypto-failure

Keywords

#side-channel #timing-attack

Aliases

• CVE-2022-29185
• GHSA-8vxv-2g8p-2249

References

• https://github.com/constantoine/totp-rs/security/advisories/GHSA-8vxv-2g8p-2249

CVSS Score

4.2 MEDIUM

CVSS Details

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality Impact

High

Integrity Impact

None

Availability Impact

None

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

Patched

• >=1.1.0

Affected Functions

Version

totp_rs::TOTP::check

• <1.1.0

Description

Affecting versions did not compare tokens in constant time, which could make it possible for an attacker to guess the 2fa token of a user.

This has been fixed by using using the crate constant_time_eq for comparison.

Advisory available under CC0-1.0 license.