Ursa is a cryptographic library for use with blockchains. The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be able to generate a unique identifier for a holder providing a verifiable presentation that includes a Non-Revocation proof. The impact of the flaw is that a malicious verifier may be able to determine a unique identifier for a holder presenting a Non-Revocation proof. Ursa has moved to end-of-life status and no fix is expected.
References
Link | Resource |
---|---|
https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g | Vendor Advisory |
Configurations
History
24 Jan 2024, 18:13
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
References | () https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g - Vendor Advisory | |
CPE | cpe:2.3:a:hyperledger:ursa:0.1.0:*:*:*:*:rust:*:* | |
First Time |
Hyperledger ursa
Hyperledger |
16 Jan 2024, 22:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-01-16 22:15
Updated : 2024-02-28 20:54
NVD link : CVE-2024-22192
Mitre link : CVE-2024-22192
CVE.ORG link : CVE-2024-22192
JSON object : View
Products Affected
hyperledger
- ursa
CWE
CWE-327
Use of a Broken or Risky Cryptographic Algorithm