CVE-2022-29185
MEDIUMtotp-rs < 1.1.0 - Observable Timing Discrepancy in Token Comparison
Title source: llmDescription
totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless. Starting with patched version 1.1.0, the library uses constant-time comparison. There are currently no known workarounds.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/constantoine/totp-rs/security/advisories/GHSA-8vxv-2g8p-2249
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/constantoine/totp-rs/issues/13
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/constantoine/totp-rs/releases/tag/v1.1.0
Scores
CVSS v3
4.2
EPSS
0.0079
EPSS Percentile
51.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-208
CWE-203
Status
published
Products (2)
crates.io/totp-rs
0 - 1.1.0crates.io
totp-rs_project/totp-rs
< 1.1.0
Published
May 20, 2022
Tracked Since
Feb 18, 2026