CVE-2022-29185

MEDIUM

totp-rs <1.1.0 - Info Disclosure

Title source: llm

Description

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless. Starting with patched version 1.1.0, the library uses constant-time comparison. There are currently no known workarounds.

References (3)

[Third Party Advisory] https://github.com/constantoine/totp-rs/security/advisories/GHSA-8vxv-2g8p-2249

[Issue Tracking, Third Party Advisory] https://github.com/constantoine/totp-rs/issues/13

[Release Notes, Third Party Advisory] https://github.com/constantoine/totp-rs/releases/tag/v1.1.0

Scores

CVSS v3 4.2

EPSS 0.0036

EPSS Percentile 58.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-208 CWE-203

Status published

Products (2)

crates.io/totp-rs 0 - 1.1.0crates.io

totp-rs_project/totp-rs < 1.1.0

Published May 20, 2022

Tracked Since Feb 18, 2026