x/vulndb: potential Go vuln in github.com/Consensys/gnark: CVE-2024-45039

[GoVulnBot]

Advisory CVE-2024-45039 references a vulnerability in the following Go modules:

Module
github.com/Consensys/gnark

Description:
gnark is a fast zk-SNARK library that offers a high-level API to design circuits. Versions prior to 0.11.0 have a soundness issue - in case of multiple commitments used inside the circuit the prover is able to choose all but the last commitment. As gnark uses the commitments for optimized non-native multiplication, lookup checks etc. as random challenges, then it could impact the soundness of the whole circuit. However, using multiple commitments has been discouraged due to the additional cost to the verifier and it has not been supported in the recursive in-circuit Groth16 verifier and Solidi...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-45039
• FIX: Consensys/gnark@e7c66b0
• WEB: GHSA-q3hw-3gm4-w5cr

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/Consensys/gnark
      vulnerable_at: 0.11.0
summary: CVE-2024-45039 in github.com/Consensys/gnark
cves:
    - CVE-2024-45039
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-45039
    - fix: https://github.com/Consensys/gnark/commit/e7c66b000454f4d2a4ae48c005c34154d4cfc2a2
    - web: https://github.com/Consensys/gnark/security/advisories/GHSA-q3hw-3gm4-w5cr
source:
    id: CVE-2024-45039
    created: 2024-09-06T14:01:21.168247948Z
review_status: UNREVIEWED