Information Exposure Affecting risc0-zkvm package, versions >=0.0.0

Q: How to fix?

There is no fixed version for risc0-zkvm .

Threat Intelligence

Proof of concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-RUST-RISC0ZKVM-7462808
published17 Jul 2024
disclosed15 Jul 2024
creditUlrich Habock, Al Kindi

Report a new vulnerability Found a mistake?

Introduced: 15 Jul 2024

CWE-200 (opens in a new tab) First added by Snyk

How to fix?

There is no fixed version for risc0-zkvm.

Overview

risc0-zkvm is a RISC-V virtual machine that produces zero-knowledge proofs of code it executes.

Affected versions of this package are vulnerable to Information Exposure. An attacker can potentially exploit this vulnerability to infer details about the program execution by analyzing the proofs, despite the proofs being designed to conceal such information.

Note:

This is only exploitable if the attacker has access to the proofs and possesses advanced knowledge in cryptographic analysis.

References

Research Paper

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None