CVE-2022-29185: Observable Timing Discrepancy in totp-rs
Token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless.
References
- github.com/advisories/GHSA-8vxv-2g8p-2249
- github.com/constantoine/totp-rs
- github.com/constantoine/totp-rs/commit/1f1e1a6fe722deb1656f483b1367ea4be978db5b
- github.com/constantoine/totp-rs/compare/v1.0...v1.1.0
- github.com/constantoine/totp-rs/issues/13
- github.com/constantoine/totp-rs/releases/tag/v1.1.0
- github.com/constantoine/totp-rs/security/advisories/GHSA-8vxv-2g8p-2249
- nvd.nist.gov/vuln/detail/CVE-2022-29185
- rustsec.org/advisories/RUSTSEC-2022-0018.html
Code Behaviors & Features
Detect and mitigate CVE-2022-29185 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →