Vulnerability Description
Zcash, before the Sapling network upgrade (2018-10-28), had a counterfeiting vulnerability. A key-generation process, during evaluation of polynomials related to a to-be-proven statement, produced certain bypass elements. Availability of these elements allowed a cheating prover to bypass a consistency check, and consequently transform the proof of one statement into an ostensibly valid proof of a different statement, thereby breaking the soundness of the proof system. This misled the original Sprout zk-SNARK verifier into accepting the correctness of a transaction.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Z.Cash | Zcash | <= 2.0.1 |
Related Weaknesses (CWE)
References
- http://fortune.com/2019/02/05/zcash-vulnerability-cryptocurrency/Press/Media CoverageThird Party Advisory
- https://github.com/JinBean/CVE-Extension
- https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/Vendor Advisory
- http://fortune.com/2019/02/05/zcash-vulnerability-cryptocurrency/Press/Media CoverageThird Party Advisory
- https://github.com/JinBean/CVE-Extension
- https://z.cash/blog/zcash-counterfeiting-vulnerability-successfully-remediated/Vendor Advisory
FAQ
What is CVE-2019-7167?
CVE-2019-7167 is a vulnerability with a CVSS score of 7.5 (HIGH). Zcash, before the Sapling network upgrade (2018-10-28), had a counterfeiting vulnerability. A key-generation process, during evaluation of polynomials related to a to-be-proven statement, produced cer...
How severe is CVE-2019-7167?
CVE-2019-7167 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-7167?
Check the references section above for vendor advisories and patch information. Affected products include: Z.Cash Zcash.