CL-Signatures Revocation Scheme in Ursa has flaws that allow a holder to demonstrate non-revocation of a revoked credential
CVE-2024-21670

6.5MEDIUM

Key Information:

Vendor: hyperledger-archives
Status: ursa
Vendor: CVE Published:; 16 January 2024

🔔 Create hyperledger-archives Vulnerability Alert

What is CVE-2024-21670?

Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a revoked credential to generate a valid Non-Revocation Proof for that credential as part of an AnonCreds presentation. A verifier may verify a credential from a holder as being "not revoked" when in fact, the holder's credential has been revoked. Ursa has moved to end-of-life status and no fix is expected.

Affected Version(s)

ursa <= 0.3.7

References

https://github.com/hyperledger-archives/ursa/security/adv...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Physical

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 16, 2024
Vulnerability Reserved
Dec 29, 2023

CVE-2024-21670 Data

JSON