admin/cvelist
1
0
Fork 0
mirror of https://github.com/CVEProject/cvelist.git synced 2025-07-29 05:56:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add CVE-2022-29185 for GHSA-8vxv-2g8p-2249

Browse Source 
Add CVE-2022-29185 for GHSA-8vxv-2g8p-2249
This commit is contained in:
advisory-database[bot] 2022-05-20 19:25:06 +00:00 committed by GitHub
parent 2d86ec250d
commit ae80b98cd7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 89 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

95
2022/29xxx/CVE-2022-29185.json
View File

@ -1,18 +1,101 @@
{
"data_type": "CVE",
"data_format": "MITRE",
"data_version": "4.0",
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-29185",
"ASSIGNER": "cve@mitre.org",
"STATE": "RESERVED"
"STATE": "PUBLIC",
"TITLE": "Observable Timing Discrepancy in totp-rs"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "totp-rs",
"version": {
"version_data": [
{
"version_value": "<1.1.0"
}
]
}
}
]
},
"vendor_name": "constantoine"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
"value": "totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless. Starting with patched version 1.1.0, the library uses constant-time comparison. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-208: Observable Timing Discrepancy"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-203: Observable Discrepancy"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/constantoine/totp-rs/security/advisories/GHSA-8vxv-2g8p-2249",
"refsource": "CONFIRM",
"url": "https://github.com/constantoine/totp-rs/security/advisories/GHSA-8vxv-2g8p-2249"
},
{
"name": "https://github.com/constantoine/totp-rs/issues/13",
"refsource": "MISC",
"url": "https://github.com/constantoine/totp-rs/issues/13"
},
{
"name": "https://github.com/constantoine/totp-rs/releases/tag/v1.1.0",
"refsource": "MISC",
"url": "https://github.com/constantoine/totp-rs/releases/tag/v1.1.0"
}
]
},
"source": {
"advisory": "GHSA-8vxv-2g8p-2249",
"discovery": "UNKNOWN"
}
}