CVE-2024-22192

Name of the Vulnerable Software and Affected Versions Ursa (affected versions not specified)

Description The revocation scheme in Ursa's CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. A malicious verifier may be able to generate a unique identifier for a holder providing a verifiable presentation that includes a Non-Revocation proof. The impact of the flaw is that a malicious verifier may be able to determine a unique identifier for a holder presenting a Non-Revocation proof.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. However, to mitigate the issue, upgrade libraries/holder applications that generate AnonCreds verifiable presentations using the Ursa Rust Crate to any version of the AnonCreds CL-Signatures Rust Crate. Additionally, updating the verifier software to a corrected CL-Signatures implementation, such as the one based on AnonCreds CL-Signatures, can help verify presentations from holders built on either the flawed Ursa CL-Signature implementation or a corrected CL-Signature implementation.