blob: e3681908be42e6c3f6d79d9e50cf02b710f9561f [file] [log] [blame]
id: GO-2023-2098
modules:
- module: github.com/consensys/gnark
versions:
- fixed: 0.9.0
vulnerable_at: 0.9.0-alpha
packages:
- package: github.com/consensys/gnark/frontend/cs/r1cs
symbols:
- builder.Cmp
- builder.AssertIsLessOrEqual
- builder.mustBeLessOrEqVar
- builder.mustBeLessOrEqCst
derived_symbols:
- builder.ToBinary
- package: github.com/consensys/gnark/frontend/cs/scs
symbols:
- builder.Cmp
- builder.AssertIsLessOrEqual
- builder.mustBeLessOrEqVar
- builder.mustBeLessOrEqCst
derived_symbols:
- builder.ToBinary
- package: github.com/consensys/gnark/internal/backend/circuits
symbols:
- recursiveHint.Define
- package: github.com/consensys/gnark/std/math/bits
symbols:
- WithNbDigits
summary: |-
Unsoundness in variable comparison / non-unique binary decomposition in
github.com/consensys/gnark
cves:
- CVE-2023-44378
ghsas:
- GHSA-498w-5j49-vqjg
credits:
- '@kustosz'
references:
- report: https://github.com/zkopru-network/zkopru/issues/116
- fix: https://github.com/Consensys/gnark/pull/835
- fix: https://github.com/Consensys/gnark/commit/59a4087261a6c73f13e80d695c17b398c3d0934f
- advisory: https://github.com/advisories/GHSA-498w-5j49-vqjg
review_status: REVIEWED