Skip to main content
Version: latest

CVE-2023-45287

CVE Details

Visit the official vulnerability details page for CVE-2023-45287 to learn more.

Initial Publication

10/25/2024

Last Update

03/29/2025

Third Party Dependency

go

NIST CVE Summary

Before Go 1.20, the RSA based TLS key exchanges used the math/big library, which is not constant time. RSA blinding was applied to prevent timing attacks, but analysis shows this may not have been fully effective. In particular it appears as if the removal of PKCS#1 padding may leak timing information, which in turn could be used to recover session key bits. In Go 1.20, the crypto/tls library switched to a fully constant time RSA implementation, which we do not believe exhibits any timing side channels.

CVE Severity

7.5

Our Official Summary

This vulnerability is a false positive. Although this is reported by the scanning tools on some of the components, further checks indicate the symbol/function with the vulnerability while present is not being used.

Status

Ongoing

Affected Products & Versions

VersionPalette EnterprisePalette Enterprise AirgapVerteXVerteX Airgap
4.6.18⚠️ Impacted✅ No Impact⚠️ Impacted✅ No Impact
4.5.22⚠️ Impacted⚠️ Impacted⚠️ Impacted✅ No Impact
4.4.20⚠️ Impacted⚠️ Impacted⚠️ Impacted✅ No Impact

Revision History

No revisions available.