CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22192 – Ursa CL-Signatures Revocation allows verifiers to generate unique identifiers for holders
https://notcve.org/view.php?id=CVE-2024-22192
16 Jan 2024 — Ursa is a cryptographic library for use with blockchains. The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be able to generate a unique identifier for a holder providing a verifiable presentation that includes a Non-Revocation proof. The impact of the flaw is that a malicious verifier may be able to determine a unique identifier for a holder ... • https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-6698-mhxx-r84g • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21670 – CL-Signatures Revocation Scheme in Ursa has flaws that allow a holder to demonstrate non-revocation of a revoked credential
https://notcve.org/view.php?id=CVE-2024-21670
16 Jan 2024 — Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a revoked credential to generate a valid Non-Revocation Proof for that credential as part of an AnonCreds presentation. A verifier may verify a credential from a holder as being "not revoked" when in fact, the holder's credential has been r... • https://github.com/hyperledger-archives/ursa/security/advisories/GHSA-r78f-4q2q-hvv4 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2022-31021 – Unlinkability broken in ursa when verifiers use malicious keys
https://notcve.org/view.php?id=CVE-2022-31021
16 Jan 2024 — Ursa is a cryptographic library for use with blockchains. A weakness in the Hyperledger AnonCreds specification that is not mitigated in the Ursa and AnonCreds implementations is that the Issuer does not publish a key correctness proof demonstrating that a generated private key is sufficient to meet the unlinkability guarantees of AnonCreds. The Ursa and AnonCreds CL-Signatures implementations always generate a sufficient private key. A malicious issuer could in theory create a custom CL Signature implement... • https://github.com/hyperledger/ursa/security/advisories/GHSA-2q6j-gqc4-4gw3 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •