CVE-2023-45287

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.
Configurations

Configuration 1 (hide)

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

History

12 Dec 2023, 16:26

Type Values Removed Values Added
CPE cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
CWE CWE-203
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5
References () https://people.redhat.com/~hkario/marvin/ - () https://people.redhat.com/~hkario/marvin/ - Third Party Advisory
References () https://pkg.go.dev/vuln/GO-2023-2375 - () https://pkg.go.dev/vuln/GO-2023-2375 - Vendor Advisory
References () https://groups.google.com/g/golang-announce/c/QMK8IQALDvA - () https://groups.google.com/g/golang-announce/c/QMK8IQALDvA - Mailing List, Release Notes
References () https://go.dev/cl/326012/26 - () https://go.dev/cl/326012/26 - Issue Tracking
References () https://go.dev/issue/20654 - () https://go.dev/issue/20654 - Issue Tracking

05 Dec 2023, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-12-05 17:15

Updated : 2024-02-05 00:22


NVD link : CVE-2023-45287

Mitre link : CVE-2023-45287

CVE.ORG link : CVE-2023-45287


JSON object : View

Products Affected

golang

  • go
CWE
CWE-203

Observable Discrepancy