PT-2019-4890 · Python+3 · Python-Ecdsa+3

Tomato42

Published

2019-10-07

Updated

2024-06-15

CVE-2019-14859

CVSS v2.0

9.4

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:N

Name of the Vulnerable Software and Affected Versions python-ecdsa versions prior to 0.13.3

Description A flaw was found in the python-ecdsa library where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. An attacker could use a malleable signature to create false transactions, potentially impacting the confidentiality and integrity of protected information.

Recommendations For versions prior to 0.13.3, update to version 0.13.3 or later to resolve the issue. As a temporary workaround, consider implementing additional signature verification measures to minimize the risk of exploitation. Restrict the use of the python-ecdsa library until a patch is applied.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

ALT-PU-2020-3226

BDU:2020-01481

CVE-2019-14859

DLA-1978-1

DSA-4588-1

GHSA-8QXJ-F9RH-9FG2

MGASA-2020-0002

OPENSUSE-SU-2019:2472-1

OPENSUSE-SU-2019:2474-1

OPENSUSE-SU-2019_2472-1

OPENSUSE-SU-2019_2474-1

OPENSUSE-SU-2024:11229-1

OPENSUSE-SU-2024:13862-1

PYSEC-2020-163

PYSEC-2020-182

RHSA-2021:4702

SUSE-SU-2019:2891-1

SUSE-SU-2019:2891-2

SUSE-SU-2019:3024-1

SUSE-SU-2019_2891-1

SUSE-SU-2019_2891-2

SUSE-SU-2019_3024-1

USN-4196-1

Affected Products

Alt Linux

Suse

Ubuntu

Python-Ecdsa

PT-2019-4890 · Python+3 · Python-Ecdsa+3

CVE-2019-14859

Weakness Enumeration

Related Identifiers

Affected Products

References · 51