SCA: security update for github.com/consensys/gnark (GHSA-q3hw-3gm4-w5cr)

medium Tenable Self-Hosted Container Security Plugin ID 417838

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0
have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to
choose all but the last commitment. As gnark uses the commitments for optimized non-native multiplication,
lookup checks etc. as random challenges, then it could impact the soundness of the whole circuit. However,
using multiple commitments has been discouraged due to the additional cost to the verifier and it has not
been supported in the recursive in-circuit Groth16 verifier and Solidity verifier. gnark's maintainers
expect the impact of the issue be very small - only for the users who have implemented the native Groth16
verifier or are using it with multiple commitments. We do not have information of such users. The issue
has been patched in version 0.11.0. As a workaround, users should follow gnark maintainers' recommendation
to use only a single commitment and then derive in-circuit commitments as needed using the
`std/multicommit` package. (CVE-2024-45039)

See Also

https://github.com/advisories/GHSA-q3hw-3gm4-w5cr

Plugin Details

Severity: Medium

ID: 417838

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2024-45039

CVSS v3

Risk Factor: Medium

Base Score: 6.2

Temporal Score: 5.4

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/6/2024

Vulnerability Publication Date: 9/6/2024

Reference Information

CVE: CVE-2024-45039

cwe: CWE-200