Lucene search

GoogleOSV:CVE-2024-21670

HistoryJan 16, 2024 - 10:15 p.m.

CVE-2024-21670

2024-01-1622:15:45

Google

osv.dev

ursa

cl-signatures

anoncreds

privacy

flaw

verifiable credential model

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.1%

JSON

Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a revoked credential to generate a valid Non-Revocation Proof for that credential as part of an AnonCreds presentation. A verifier may verify a credential from a holder as being “not revoked” when in fact, the holder’s credential has been revoked. Ursa has moved to end-of-life status and no fix is expected.

CPENameOperatorVersion
ursaeq0.1.0

CPE	Name	Operator	Version
	ursa	eq	0.1.0

References

github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

39.1%

JSON

Related for OSV:CVE-2024-21670