CVE-2023-49092: Marvin Attack: potential key recovery through timing sidechannels

November 28, 2023 (updated December 14, 2023)

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

References

github.com/RustCrypto/RSA
github.com/RustCrypto/RSA/issues/19
github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr
github.com/advisories/GHSA-c38w-74pg-36hr
nvd.nist.gov/vuln/detail/CVE-2023-49092
rustsec.org/advisories/RUSTSEC-2023-0071.html

Code Behaviors & Features

Detect and mitigate CVE-2023-49092 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →