CVE-2022-29185 MEDIUM

CVE-2022-29185: Observable Timing Discrepancy in totp-rs

Vendor Constantoine
Product totp-rs
Weakness CWE-208
Published May 20, 2022
Last update April 23, 2025

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password (TOTP). Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless. Starting with patched version 1.1.0, the library uses constant-time comparison. There are currently no known workarounds.

Key dates

02Disclosure timeline

May 20, 2022 CVE published
April 23, 2025 Record updated