CVE-2021-43568

Name of the Vulnerable Software and Affected Versions Stark Bank Elixir ECDSA library (ecdsa-elixir) version 1.0.0 ecdsa-python versions prior to 2.0.1 ecdsa-java versions prior to 1.0.1 ecdsa-dotnet versions prior to 1.3.2 ecdsa-node versions prior to 1.1.3

Description The verify function in the Stark Bank ECDSA libraries fails to check that the signature is non-zero, allowing attackers to forge signatures on arbitrary messages. This may allow attackers to authenticate as any user within the Stark Bank platform and bypass signature verification needed to perform operations on the platform, such as sending payments and transferring funds. The libraries have around 16k weekly downloads for the ecdsa-node implementation and over 7.3M downloads in the last 90 days on PyPI for the Python implementation. The vulnerability affects the ECDSA signature verification functions, which fail to perform the first check, ensuring that the r and s components of the signatures are in the correct range.

Recommendations For ecdsa-elixir version 1.0.0, update to version 1.0.1 or later. For ecdsa-python versions prior to 2.0.1, update to version 2.0.1 or later. For ecdsa-java versions prior to 1.0.1, update to version 1.0.1 or later. For ecdsa-dotnet versions prior to 1.3.2, update to version 1.3.2 or later. For ecdsa-node versions prior to 1.1.3, update to version 1.1.3 or later.