CVE-2023-44378

Опубликовано: 09 окт. 2023

Источник: nvd

CVSS3: 7.1

CVSS3: 5.5

EPSS Низкий

Описание

gnark is a zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.9.0, for some in-circuit values, it is possible to construct two valid decomposition to bits. In addition to the canonical decomposition of a, for small values there exists a second decomposition for a+r (where r is the modulus the values are being reduced by). The second decomposition was possible due to overflowing the field where the values are defined. Upgrading to version 0.9.0 should fix the issue without needing to change the calls to value comparison methods.

Ссылки

https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f
Patch
https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg
Mitigation
Patch
Third Party Advisory
https://github.com/zkopru-network/zkopru/issues/116
Not Applicable
https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f
Patch
https://github.com/Consensys/gnark/security/advisories/GHSA-498w-5j49-vqjg
Mitigation
Patch
Third Party Advisory
https://github.com/zkopru-network/zkopru/issues/116
Not Applicable

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:consensys:gnark:*:*:*:*:*:*:*:*

Версия до 0.9.0 (исключая)

EPSS

Процентиль: 10%

0.00035

Низкий

7.1 High

CVSS3

5.5 Medium

CVSS3

Дефекты

CWE-191

Связанные уязвимости

GHSA-498w-5j49-vqjg

CVSS3: 5.5

github

больше 2 лет назад

gnark unsoundness in variable comparison / non-unique binary decomposition

EPSS

Процентиль: 10%

0.00035

Низкий

7.1 High

CVSS3

5.5 Medium

CVSS3

Дефекты

CWE-191