Home > Vulnerability Database > CVE-2023-45287

Mend.io Vulnerability Database

CVE-2023-45287

Date: December 5, 2023

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.

Language: Go

Severity Score

7.5

Related Resources (9)

Url: https://groups.google.com/g/golang-announce/c/QMK8IQALDvA

Url: https://pkg.go.dev/vuln/GO-2023-2375

Url: https://people.redhat.com/~hkario/marvin/

Url: https://go.dev/issue/20654

Url: https://go.dev/cl/326012/26

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-45287

Url: https://security.netapp.com/advisory/ntap-20240112-0005/

Url: https://security-tracker.debian.org/tracker/CVE-2023-45287

Url: https://www.mend.io/vulnerability-database/CVE-2023-45287

Severity Score

7.5

Weakness Type (CWE)

Observable Discrepancy

CWE-203

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2023-45287

Date: December 5, 2023

Language: Go

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?