x/vulndb: potential Go vuln in github.com/Consensys/gnark: CVE-2024-45039 #3122
Description
Advisory CVE-2024-45039 references a vulnerability in the following Go modules:
| Module |
|---|
| github.com/Consensys/gnark |
Description:
gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0 have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As gnark uses the commitments for optimized non-native multiplication, lookup checks etc. as random challenges, then it could impact the soundness of the whole circuit. However, using multiple commitments has been discouraged due to the additional cost to the verifier and it has not been supported in the recursive in-circuit Groth16 verifier and Solidi...
References:
- ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-45039
- FIX: Consensys/gnark@e7c66b0
- WEB: GHSA-q3hw-3gm4-w5cr
No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.
id: GO-ID-PENDING
modules:
- module: github.com/Consensys/gnark
vulnerable_at: 0.11.0
summary: CVE-2024-45039 in github.com/Consensys/gnark
cves:
- CVE-2024-45039
references:
- advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45039
- fix: https://github.com/Consensys/gnark/commit/e7c66b000454f4d2a4ae48c005c34154d4cfc2a2
- web: https://github.com/Consensys/gnark/security/advisories/GHSA-q3hw-3gm4-w5cr
source:
id: CVE-2024-45039
created: 2024-09-06T14:01:21.168247948Z
review_status: UNREVIEWED