logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-j57r-4qw6-58r3 rusty-paseto

Package

Manager: cargo
Name: rusty-paseto
Vulnerable Version: >=0 <0.6.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

rusty_paseto vulnerable to private key extraction due to ed25519-dalek dependency ## Impact The vulnerability, known as RUSTSEC-2022-0093, impacts the `ed25519-dalek` crate, which is a dependency of the `rusty-paseto` crate. This issue arises from a "Double Public Key Signing Function Oracle Attack" affecting versions of `ed25519-dalek` prior to v2.0. These versions expose an unsafe API for serializing and deserializing 64-byte keypairs that include both private and public keys, creating potential for certain attacks. `d25519-dalek` users utilizing these serialization and deserialization functions directly could potentially be impacted. ## Patches The vulnerability within the `ed25519-dalek` crate has been addressed in version 2.0. `rusty-paseto` has addressed it in release v0.6.0. ## Workarounds Users are recommended to upgrade to v0.6.0 of `rusty-paseto`. However, users should still ensure that their key serialization and deserialization practices are secure and avoid any practices that could lead to key exposure. ## References More information about RUSTSEC-2022-0093 can be found in the [RustSec Advisory Database](https://rustsec.org/advisories/RUSTSEC-2022-0093.html). Updates and details regarding the upcoming release of `rusty-paseto` will be documented in the project's [releases](https://github.com/your-repo/rusty-paseto/releases) and [changelog](https://github.com/your-repo/rusty-paseto/blob/main/CHANGELOG.md). This issue was first reported by Dependabot on 2023-08-15. The source was reviewed by @rrrodzilla at that time and a determination was made that the vulnerability low harm to existing users due to the strongly typed nature of keys provided by the rusty-paseto API. @techport-om reported the vulnerability to the repository by discovering during a `cargo-audit` run on 2023-11-05 and opened [issue 28](https://github.com/rrrodzilla/rusty_paseto/issues/28). This advisory was created at that time to notify existing users.

Metadata

Created: 2023-11-07T23:44:25Z
Modified: 2023-11-07T23:44:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-j57r-4qw6-58r3/GHSA-j57r-4qw6-58r3.json
CWE IDs: []
Alternative ID: N/A
Finding: F017
Auto approve: 1