Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05MnZtLW14amYtanFmM80XJA
Improper Verification of Cryptographic Signature in starkbank-ecdsa
The verify
function in the Stark Bank Python ECDSA library (starkbank-ecdsa) 2.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05MnZtLW14amYtanFmM80XJA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 2 years ago
Updated: 9 months ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-92vm-mxjf-jqf3, CVE-2021-43572
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-43572
- https://github.com/starkbank/ecdsa-python/releases/tag/v2.0.1
- https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries/
- https://github.com/starkbank/ecdsa-python/commit/d136170666e9510eb63c2572551805807bd4c17f
- https://github.com/advisories/GHSA-92vm-mxjf-jqf3
Blast Radius: 29.3
Affected Packages
pypi:starkbank-ecdsa
Dependent packages: 4Dependent repositories: 981
Downloads: 5,737,105 last month
Affected Version Ranges: < 2.0.1
Fixed in: 2.0.1
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 1.0.0, 1.1.0, 1.1.1, 2.0.0
All unaffected versions: 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.2.0