4.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-29185

CVE-2022-29185: Observable Timing Discrepancy in totp-rs

Impact

Token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The attacker would have to know the password beforehand nonetheless.

Patches

Library now used constant-time comparison.

Workarounds

No.

For more information

If you have any questions or comments about this advisory:

Open an issue in totp-rs
Email us at cleo.rebert@gmail.com

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2022-29185

CVE-2022-29185:

4.2

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
totp-rs	rust	< 1.1.0	1.1.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from using regular string comparison (==) in the token validation logic. The commit diff shows the critical fix replaced this with constant_time_eq() in TOTP<T>::check. This function's comparison of generated tokens with user input was vulnerable to timing analysis, as string equality checks in most languages (including Rust) short-circuit on first mismatch. The direct replacement with a constant-time comparison function in the patched version confirms this was the vulnerable point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2022-29185: Observable Timing Discrepancy in totp-rs

Impact

Patches

Workarounds

For more information

CVE-2022-29185:

4.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

4.2

4.2

CVE-2022-29185: Observable Timing Discrepancy in totp-rs

Impact

Patches

Workarounds

For more information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI