medium
6.5
CWE
327
EPSS
0.087%
Advisory Published
CVE Published
Updated

CVE-2024-22192: Ursa CL-Signatures Revocation allows verifiers to generate unique identifiers for holders

First published: Tue Jan 16 2024(Updated: )

### Summary The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be able to generate a unique identifier for a holder providing a verifiable presentation that includes a Non-Revocation proof. ### Details The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, potentially allowing a malicious verifier to generate a unique identifier for a holder that provides a verifiable presentation that includes a Non-Revocation proof. The flaws affects all CL-Signature versions published from the [Hyperledger Ursa] repository to the [Ursa Rust Crate], and is fixed in all versions published from the [Hyperledger AnonCreds CL-Signatures] repository to the [AnonCreds CL-Signatures Rust Crate]. The addressing the flaw requires updating AnonCreds holder software (such as mobile wallets) to a corrected CL-Signature implementation, such as the [AnonCreds CL Signatures Rust Crate]. Verifying presentations from corrected holders requires a updating the verifier software to a corrected CL-Signatures implementation. An updated verifier based on AnonCreds CL-Signatures can verify presentations from holders built on either the flawed Ursa CL-Signature implementation or a corrected CL-Signature implementation [Hyperledger Ursa]: https://github.com/hyperledger-archives/ursa [Ursa Rust Crate]: https://crates.io/crates/ursa [Hyperledger AnonCreds CL-Signatures]: https://github.com/hyperledger/anoncreds-clsignatures-rs [AnonCreds CL-Signatures Rust Crate]: https://crates.io/crates/anoncreds-clsignatures The flaw occurs as a result of generating a verifiable presentation that includes a Non-Revocation proof from a flawed implementation. ### Impact The impact of the flaw is that a malicious verifier may be able to determine a unique identifier for a holder presenting a Non-Revocation proof. ### Mitigation Upgrade libraries/holder applications that generate AnonCreds verifiable presentations using the [Ursa Rust Crate] to any version of the [AnonCreds CL-Signatures Rust Crate].

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
rust/anoncreds-clsignatures<0.1.0
0.1.0
rust/ursa<=0.3.7
Hyperledger Ursa=0.1.0

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-22192?

    CVE-2024-22192 is considered to have a critical impact on privacy guarantees within the Ursa CL-Signatures implementation.

  • How do I fix CVE-2024-22192?

    To mitigate CVE-2024-22192, update the affected packages such as anoncreds-clsignatures to version 0.1.0 or higher, and ensure you are using Ursa version 0.3.7 or less.

  • What software is affected by CVE-2024-22192?

    CVE-2024-22192 affects the anoncreds-clsignatures package in versions below 0.1.0 and the Ursa package up to version 0.3.7.

  • What are the privacy implications of CVE-2024-22192?

    CVE-2024-22192 may allow a malicious verifier to create a unique identifier for credential holders, compromising their privacy.

  • Is there a patch available for CVE-2024-22192?

    Yes, upgrading to anoncreds-clsignatures version 0.1.0 or later and ensuring Ursa is at or below version 0.3.7 addresses the vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203