PT-2021-23875 · Stark Bank · Stark Bank Java Ecdsa Library

Published

2021-11-09

Updated

2021-11-12

CVE-2021-43570

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Stark Bank Java ECDSA library (ecdsa-java) version 1.0.0

Description The verify function in the Stark Bank Java ECDSA library fails to check that the signature is non-zero, allowing attackers to forge signatures on arbitrary messages.

Recommendations For version 1.0.0, consider disabling the verify function until a patch is available to prevent attackers from forging signatures. Restrict the use of the library for critical operations that rely on the authenticity of messages.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2021-43570

GHSA-R28H-X6HV-2FQ3

Affected Products

Stark Bank Java Ecdsa Library

PT-2021-23875 · Stark Bank · Stark Bank Java Ecdsa Library

CVE-2021-43570

Weakness Enumeration

Related Identifiers

Affected Products

References · 9