NVD Vulnerability Detail

Search Exploit, PoC

Exploit DB

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2024-45039

Summary	gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0 have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As gnark uses the commitments for optimized non-native multiplication, lookup checks etc. as random challenges, then it could impact the soundness of the whole circuit. However, using multiple commitments has been discouraged due to the additional cost to the verifier and it has not been supported in the recursive in-circuit Groth16 verifier and Solidity verifier. gnark's maintainers expect the impact of the issue be very small - only for the users who have implemented the native Groth16 verifier or are using it with multiple commitments. We do not have information of such users. The issue has been patched in version 0.11.0. As a workaround, users should follow gnark maintainers' recommendation to use only a single commitment and then derive in-circuit commitments as needed using the `std/multicommit` package.
Publication Date	Sept. 6, 2024, 10:15 p.m.
Registration Date	Sept. 7, 2024, 5 a.m.
Last Update	Sept. 20, 2024, 9:12 a.m.

CVSS3.1 : MEDIUM
スコア	6.2
Vector	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
攻撃元区分(AV)	ローカル
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	なし
完全性への影響(I)	高
可用性への影響(A)	なし

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:consensys:gnark-crypto::::::::					0.11.0

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/Consensys/gnark/security/advisories/GHSA-q3hw-3gm4-w5cr		Third Party Advisory
2	https://github.com/Consensys/gnark/commit/e7c66b000454f4d2a4ae48c005c34154d4cfc2a2		Broken Link

Common Vulnerabilities List

JVN Vulnerability Information

consensys の gnark-crypto における脆弱性

Title	consensys の gnark-crypto における脆弱性
Summary	consensys の gnark-crypto には、不特定の脆弱性が存在します。
Possible impacts	情報を改ざんされる可能性があります。
Solution	参考情報を参照して適切な対策を実施してください。
Publication Date	Sept. 6, 2024, midnight
Registration Date	Sept. 25, 2024, 9:54 a.m.
Last Update	Sept. 25, 2024, 9:54 a.m.

Affected System

consensys

gnark-crypto 0.11.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-45039	https://www.cve.org/CVERecord?id=CVE-2024-45039
National Vulnerability Database (NVD)
2	CVE-2024-45039	https://nvd.nist.gov/vuln/detail/CVE-2024-45039

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html
2	CWE-noinfo	https://www.ipa.go.jp/security/vuln/scap/cwe.html

その他

No	Name	URL
関連文書
1	github.com (GHSA-q3hw-3gm4-w5cr)	https://github.com/Consensys/gnark/security/advisories/GHSA-q3hw-3gm4-w5cr

Change Log

No	Changed Details	Date of change
1	[2024年09月25日] 掲載	Sept. 25, 2024, 9:54 a.m.