Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05d3g3LWpydmMtMjhtbc0W9Q
Signature verification vulnerability in Stark Bank ecdsa libraries
An attacker can forge signatures on arbitrary messages that will verify for any public key. This may allow attackers to authenticate as any user within the Stark Bank platform, and bypass signature verification needed to perform operations on the platform, such as send payments and transfer funds. Additionally, the ability for attackers to forge signatures may impact other users and projects using these libraries in different and unforeseen ways.
Permalink: https://github.com/advisories/GHSA-9wx7-jrvc-28mmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05d3g3LWpydmMtMjhtbc0W9Q
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 3 years ago
Updated: almost 2 years ago
Identifiers: GHSA-9wx7-jrvc-28mm
References:
- https://github.com/starkbank/ecdsa-python/releases/tag/v2.0.1
- https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries/
- https://github.com/starkbank/ecdsa-dotnet
- https://github.com/starkbank/ecdsa-java
- https://github.com/starkbank/ecdsa-node
- https://github.com/starkbank/ecdsa-python/commit/d136170666e9510eb63c2572551805807bd4c17f
- https://github.com/starkbank/ecdsa-python/compare/v2.0.0...v2.0.1
- https://github.com/advisories/GHSA-9wx7-jrvc-28mm
Blast Radius: 1.0
Affected Packages
npm:starkbank-ecdsa
Dependent packages: 16Dependent repositories: 201
Downloads: 265,790 last month
Affected Version Ranges: = 1.1.2
Fixed in: 1.1.3
All affected versions:
All unaffected versions: 0.0.1, 0.0.2, 0.0.4, 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5
nuget:starkbank-ecdsa
Dependent packages: 16Dependent repositories: 299
Downloads: 94,831,247 total
Affected Version Ranges: = 1.3.1
Fixed in: 1.3.2
All affected versions:
All unaffected versions: 0.0.1, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.3.0, 1.3.1, 1.3.2, 1.3.3
maven:com.starkbank:ecdsa-java
Affected Version Ranges: = 1.0.0Fixed in: 1.0.1
pypi:starkbank-ecdsa
Dependent packages: 4Dependent repositories: 981
Downloads: 6,549,445 last month
Affected Version Ranges: < 2.0.1
Fixed in: 2.0.1
All affected versions: 0.1.1, 0.1.2, 0.1.3, 0.1.4, 0.1.5, 0.1.6, 0.1.7, 0.1.8, 0.1.9, 1.0.0, 1.1.0, 1.1.1, 2.0.0
All unaffected versions: 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.2.0