NVD Vulnerability Detail

Search Exploit, PoC

Exploit DB

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2024-45040

Summary	gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.11.0, commitments to private witnesses in Groth16 as implemented break the zero-knowledge property. The vulnerability affects only Groth16 proofs with commitments. Notably, PLONK proofs are not affected. The vulnerability affects the zero-knowledge property of the proofs - in case the witness (secret or internal) values are small, then the attacker may be able to enumerate all possible choices to deduce the actual value. If the possible choices for the variables to be committed is large or there are many values committed, then it would be computationally infeasible to enumerate all valid choices. It doesn't affect the completeness/soundness of the proofs. The vulnerability has been fixed in version 0.11.0. The patch to fix the issue is to add additional randomized value to the list of committed value at proving time to mask the rest of the values which were committed. As a workaround, the user can manually commit to a randomized value.
Publication Date	Sept. 6, 2024, 10:15 p.m.
Registration Date	Sept. 7, 2024, 5 a.m.
Last Update	Sept. 20, 2024, 9:13 a.m.

CVSS3.1 : MEDIUM
スコア	5.9
Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	なし
可用性への影響(A)	なし

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:consensys:gnark-crypto::::::::					0.11.0

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/Consensys/gnark/security/advisories/GHSA-9xcg-3q8v-7fq6		Third Party Advisory
2	https://github.com/Consensys/gnark/pull/1245		Product
3	https://github.com/Consensys/gnark/commit/afda68a38acca37becb8ba6d8982d03fee9559a0		Patch

Common Vulnerabilities List

JVN Vulnerability Information

consensys の gnark-crypto における脆弱性

Title	consensys の gnark-crypto における脆弱性
Summary	consensys の gnark-crypto には、不特定の脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Sept. 6, 2024, midnight
Registration Date	Sept. 24, 2024, 10:34 a.m.
Last Update	Sept. 24, 2024, 10:34 a.m.

Affected System

consensys

gnark-crypto 0.11.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-45040	https://www.cve.org/CVERecord?id=CVE-2024-45040
National Vulnerability Database (NVD)
2	CVE-2024-45040	https://nvd.nist.gov/vuln/detail/CVE-2024-45040

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-200	https://jvndb.jvn.jp/ja/cwe/CWE-200.html
2	CWE-noinfo	https://www.ipa.go.jp/security/vuln/scap/cwe.html

その他

No	Name	URL
関連文書
1	github.com (afda68a38acca37becb8ba6d8982d03fee9559a0)	https://github.com/Consensys/gnark/commit/afda68a38acca37becb8ba6d8982d03fee9559a0
2	github.com (GHSA-9xcg-3q8v-7fq6)	https://github.com/Consensys/gnark/security/advisories/GHSA-9xcg-3q8v-7fq6
3	github.com (pull/1245)	https://github.com/Consensys/gnark/pull/1245

Change Log

No	Changed Details	Date of change
1	[2024年09月24日] 掲載	Sept. 24, 2024, 10:26 a.m.