CVE-2024-21670: 
Rust vulnerability analysis and mitigation

Ursa is a cryptographic library for use with blockchains. The vulnerability (CVE-2024-21670) was discovered in version 0.1.0 of the library, specifically in the revocation schema component of the Ursa CL-Signatures implementations. The flaw was disclosed on January 16, 2024, affecting the privacy guarantees defined by the AnonCreds verifiable credential model (Vendor Advisory).

The vulnerability exists in the revocation schema of the Ursa CL-Signatures implementation, allowing a malicious holder of a revoked credential to generate a valid Non-Revocation Proof for that credential as part of an AnonCreds presentation. The flaw is present in all CL-Signature versions published from the Hyperledger Ursa repository to the Ursa Rust Crate. The CVSS v3.1 score is 8.1 HIGH (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) according to NVD assessment (NVD).

The primary impact is that a verifier may verify a credential from a holder as being 'not revoked' when in fact, the holder's credential has been revoked. To exploit the flaw, a holder must update their wallet (agent) software, replacing the Hyperledger Ursa or AnonCreds CL-Signatures library that generates the proof of non-revocation (Vendor Advisory).

Since Ursa has moved to end-of-life status, no direct fix is expected. However, users can mitigate the vulnerability by upgrading libraries/applications to any version of the AnonCreds CL Signatures Rust Crate. For applications that have issued revocable credentials, new revocation registries must be created after upgrading the Issuer library, and credentials issued from revocation registries created with the flawed software must be revoked and reissued (Vendor Advisory).