x/vulndb: potential Go vuln in github.com/Consensys/gnark: CVE-2024-45040

[GoVulnBot]

Advisory CVE-2024-45040 references a vulnerability in the following Go modules:

Module
github.com/Consensys/gnark

Description: gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Prior to version 0.11.0, commitments to private witnesses in Groth16 as implemented break the zero-knowledge property. The vulnerability affects only Groth16 proofs with commitments. Notably, PLONK proofs are not affected. The vulnerability affects the zero-knowledge property of the proofs - in case the witness (secret or internal) values are small, then the attacker may be able to enumerate all possible choices to deduce the actual value. If the possible choices for the variables to be committed is large or ther...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-45040
• FIX: https://github.com/Consensys/gnark/commit/afda68a38acca37becb8ba6d8982d03fee9559a0
• FIX: https://github.com/Consensys/gnark/pull/1245
• WEB: https://github.com/Consensys/gnark/security/advisories/GHSA-9xcg-3q8v-7fq6

No existing reports found with this module or alias. See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/Consensys/gnark
      vulnerable_at: 0.11.0
summary: CVE-2024-45040 in github.com/Consensys/gnark
cves:
    - CVE-2024-45040
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45040
    - fix: https://github.com/Consensys/gnark/commit/afda68a38acca37becb8ba6d8982d03fee9559a0
    - fix: https://github.com/Consensys/gnark/pull/1245
    - web: https://github.com/Consensys/gnark/security/advisories/GHSA-9xcg-3q8v-7fq6
source:
    id: CVE-2024-45040
    created: 2024-09-06T14:01:26.306786963Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/613259 mentions this issue: data/reports: add GO-2024-3123