Vulnerability Description
The verify function in the Stark Bank Python ECDSA library (aka starkbank-escada or ecdsa-python) before 2.0.1 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Starkbank | Ecdsa-Python | < 2.0.1 |
Related Weaknesses (CWE)
References
- https://github.com/starkbank/ecdsa-python/commit/d136170666e9510eb63c25725518058PatchThird Party Advisory
- https://github.com/starkbank/ecdsa-python/releases/tag/v2.0.1Release NotesThird Party Advisory
- https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-ExploitThird Party Advisory
- https://github.com/starkbank/ecdsa-python/commit/d136170666e9510eb63c25725518058PatchThird Party Advisory
- https://github.com/starkbank/ecdsa-python/releases/tag/v2.0.1Release NotesThird Party Advisory
- https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-ExploitThird Party Advisory
FAQ
What is CVE-2021-43572?
CVE-2021-43572 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The verify function in the Stark Bank Python ECDSA library (aka starkbank-escada or ecdsa-python) before 2.0.1 fails to check that the signature is non-zero, which allows attackers to forge signatures...
How severe is CVE-2021-43572?
CVE-2021-43572 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-43572?
Check the references section above for vendor advisories and patch information. Affected products include: Starkbank Ecdsa-Python.