Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2022-31021

Good to know:

icon

Date: January 16, 2024

Ursa is a cryptographic library for use with blockchains. A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key is sufficient to meet the unlinkability guarantees of AnonCreds. The Ursa and AnonCreds CL-Signatures implementations always generate a sufficient private key. A malicious issuer could in theory create a custom CL Signature implementation (derived from the Ursa or AnonCreds CL-Signatures implementations) that uses weakened private keys such that presentations from holders could be shared by verifiers to the issuer who could determine the holder to which the credential was issued. This vulnerability could impact holders of AnonCreds credentials implemented using the CL-signature scheme in the Ursa and AnonCreds implementations of CL Signatures. The ursa project has has moved to end-of-life status and no fix is expected.

Language: RUST

Severity Score

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2022-31021
https://www.brics.dk/RS/98/29/BRICS-RS-98-29.pdf
https://github.com/hyperledger/ursa/security/advisories/GHSA-2q6j-gqc4-4gw3
https://www.mend.io/vulnerability-database/CVE-2022-31021

Severity Score

Weakness Type (CWE)

Inclusion of Functionality from Untrusted Control Sphere

CWE-829

Top Fix

icon

Upgrade Version

Upgrade to version ursa - 0.3.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us