CVE-2024-22192: 
Rust vulnerability analysis and mitigation

Ursa, a cryptographic library for use with blockchains, contains a vulnerability (CVE-2024-22192) in its CL-Signatures implementations' revocation scheme. The vulnerability was disclosed on January 16, 2024, affecting version 0.1.0 of the Ursa library. This flaw impacts the privacy guarantees defined by the AnonCreds verifiable credential model (GitHub Advisory).

The vulnerability exists in the revocation scheme of Ursa's CL-Signatures implementations. The flaw specifically affects the Non-Revocation proof mechanism, with a CVSS v3.1 base score of 6.5 (Medium), and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. This indicates that the vulnerability is network-accessible, requires low attack complexity, needs no privileges, but does require user interaction (GitHub Advisory).

The primary impact of this vulnerability is that a malicious verifier may be able to determine a unique identifier for a holder presenting a Non-Revocation proof, potentially compromising the privacy of the credential holder (GitHub Advisory).

No direct fix is available as Ursa has moved to end-of-life status. The recommended mitigation is to upgrade libraries and holder applications that generate AnonCreds verifiable presentations using the Ursa Rust Crate to any version of the AnonCreds CL Signatures Rust Crate. Verifiers need to update their software to a corrected CL-Signatures implementation (GitHub Advisory).