Vulnerability DatabaseCVE-2024-21670
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-21670
January 16, 2024
Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a revoked credential to generate a valid Non-Revocation Proof for that credential as part of an AnonCreds presentation. A verifier may verify a credential from a holder as being "not revoked" when in fact, the holder's credential has been revoked. Ursa has moved to end-of-life status and no fix is expected.
Related ResourcesĀ (3)
https://github.com/hyperledger-archives/ursa
https://nvd.nist.gov/vuln/detail/CVE-2024-21670
https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
PHYSICAL
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
HIGH
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
HIGH
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
PHYSICAL
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE
Weakness Type (CWE)
Use of a Broken or Risky Cryptographic Algorithm
CWE-327
EPSS
Base Score:
0.12