CVE-2023-45287

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Dec 5, 2023

Updated: Jan 12, 2024

CWE ID 203

Summary

CVE-2023-45287: Before Go 1.20, the RSA-based TLS key exchanges in Go used the math/big library, which was not constant time. Although RSA blinding was employed to prevent timing attacks, recent analysis suggests that this measure may not have been entirely effective. Specifically, the removal of PKCS#1 padding in Go's implementation may cause timing leaks, potentially revealing session key bits. In response, Go 1.20 now utilizes a fully constant time RSA implementation in its crypto/tls library, mitigating these concerns.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Golang Go

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/s6Qmy9
https://www.cve.org/CVERecord?id=CVE-2023-45287
https://nvd.nist.gov/vuln/detail/CVE-2023-45287

Back to Vulnerability Database

CVE-2023-45287

CVSS 3.1 Score 7.5 of 10 (high)

Details

Summary

Affected Products

Advisories, Assessments, and Mitigations