CVE-2023-49092: 
Rust vulnerability analysis and mitigation

RustCrypto/RSA, a portable RSA implementation in pure Rust, was identified with a vulnerability (CVE-2023-49092) disclosed on November 28, 2023. The vulnerability stems from a non-constant-time implementation that could potentially expose private key information through timing side-channels (GitHub Advisory).

The vulnerability was discovered as part of the 'Marvin Attack' research. The issue lies in the implementation's timing variations, which can leak information about the private key through observable timing differences. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector with high complexity, no privileges required, and potential for high confidentiality impact (GitHub Advisory).

The vulnerability could allow attackers to potentially recover the private key by observing timing information that is accessible over the network. This could lead to a complete compromise of the RSA encryption for affected implementations (GitHub Advisory).

Currently, there is no patch available, though work is in progress to implement a fully constant-time implementation. The recommended workaround is to avoid using the RSA crate in environments where attackers can observe timing information. Local use on non-compromised computers is considered safe (GitHub Advisory).