PT-2021-23877 · Stark Bank · Stark Bank Python Ecdsa Library

Published

2021-11-09

Updated

2022-03-24

CVE-2021-43572

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Stark Bank Python ECDSA library versions 2.0.0 through 2.0.0

Description The verify function in the Stark Bank Python ECDSA library fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages. This issue affects the verify function, allowing attackers to forge signatures on arbitrary messages by exploiting the lack of a non-zero signature check.

Recommendations For Stark Bank Python ECDSA library version 2.0.0, update to version 2.0.1 or later to resolve the issue. As a temporary workaround, consider adding a check to ensure the signature is non-zero before verifying it with the verify function until a patch is available.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

CVE-2021-43572

GHSA-92VM-MXJF-JQF3

PYSEC-2021-426

Affected Products

Stark Bank Python Ecdsa Library

PT-2021-23877 · Stark Bank · Stark Bank Python Ecdsa Library

CVE-2021-43572

Weakness Enumeration

Related Identifiers

Affected Products

References · 13