Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02Njk4LW1oeHgtcjg0Z84AA4gF
Ursa CL-Signatures Revocation allows verifiers to generate unique identifiers for holders
Summary
The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be able to generate a unique identifier for a holder providing a verifiable presentation that includes a Non-Revocation proof.
Details
The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, potentially allowing a malicious verifier to generate a unique identifier for a holder that provides a verifiable presentation that includes a Non-Revocation proof.
The flaws affects all CL-Signature versions published from the Hyperledger Ursa repository to the Ursa Rust Crate, and is fixed in all versions published from the Hyperledger AnonCreds CL-Signatures repository to the AnonCreds CL-Signatures Rust Crate.
The addressing the flaw requires updating AnonCreds holder software (such as mobile wallets) to a corrected CL-Signature implementation, such as the [AnonCreds CL Signatures Rust Crate]. Verifying presentations from corrected holders requires a updating the verifier software to a corrected CL-Signatures implementation. An updated verifier based on AnonCreds CL-Signatures can verify presentations from holders built on either the flawed Ursa CL-Signature implementation or a corrected CL-Signature implementation
The flaw occurs as a result of generating a verifiable presentation that includes a Non-Revocation proof from a flawed implementation.
Impact
The impact of the flaw is that a malicious verifier may be able to determine a unique identifier for a holder presenting a Non-Revocation proof.
Mitigation
Upgrade libraries/holder applications that generate AnonCreds verifiable presentations using the Ursa Rust Crate to any version of the AnonCreds CL-Signatures Rust Crate.
Permalink: https://github.com/advisories/GHSA-6698-mhxx-r84gJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02Njk4LW1oeHgtcjg0Z84AA4gF
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 3 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Identifiers: GHSA-6698-mhxx-r84g, CVE-2024-22192
References:
- https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g
- https://github.com/hyperledger/anoncreds-clsignatures-rs/commit/1e55780c890b027fa51e361e188a7743a0bf473f
- https://nvd.nist.gov/vuln/detail/CVE-2024-22192
- https://github.com/advisories/GHSA-6698-mhxx-r84g
Blast Radius: 10.7
Affected Packages
cargo:anoncreds-clsignatures
Dependent packages: 1Dependent repositories: 1
Downloads: 32,147 total
Affected Version Ranges: < 0.1.0
Fixed in: 0.1.0
All affected versions:
All unaffected versions: 0.1.0, 0.2.0, 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.3.2
cargo:ursa
Dependent packages: 9Dependent repositories: 44
Downloads: 167,600 total
Affected Version Ranges: <= 0.3.7
No known fixed version
All affected versions: 0.1.0, 0.1.1, 0.2.0, 0.3.0, 0.3.1, 0.3.2, 0.3.4, 0.3.5, 0.3.6, 0.3.7