CVE-2023-49092

Name of the Vulnerable Software and Affected Versions RustCrypto/RSA (affected versions not specified)

Description The issue is due to a non-constant-time implementation, which leaks information about the private key through timing information observable over the network. An attacker may use this information to recover the key. This vulnerability was discovered as part of the "Marvin Attack", which revealed several RSA implementations, including OpenSSL, had not properly mitigated timing side-channel attacks.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider avoiding the use of the rsa crate in settings where attackers are able to observe timing information, e.g., local use on a non-compromised computer is fine.