Unlinkability broken in ursa when verifiers use malicious keys
CVE-2022-31021

3.3LOW

Key Information:

Vendor: Hyperledger
Status: Ursa
Vendor: CVE Published:; 16 January 2024

🔔 Create Hyperledger Vulnerability Alert

What is CVE-2022-31021?

The vulnerability in Hyperledger's Ursa cryptographic library stems from a fundamental weakness in the AnonCreds specification, where the Issuer fails to publish a key correctness proof that verifies the ability of a generated private key to uphold the unlinkability guarantees integral to AnonCreds. While the Ursa and AnonCreds implementations generate private keys that should be adequate, there exists a potential threat from a malicious issuer who could develop a custom CL Signature implementation using weakened private keys. This could allow them to link presentations from credential holders back to the issuer, undermining the privacy intended by the AnonCreds framework. As the Ursa project is now at end-of-life status, no resolutions for this vulnerability are anticipated, leaving users of AnonCreds credentials susceptible to privacy risks.

Affected Version(s)

ursa <= 0.3.7

References

https://github.com/hyperledger/ursa/security/advisories/G...

x_refsource_CONFIRM

https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf

x_refsource_MISC

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 16, 2024
Vulnerability Reserved
May 18, 2022

CVE-2022-31021 Data

JSON