Improper Verification of Cryptographic Signature in starkbank-ecdsa

2021-11-1020:58:42

Google

osv.dev

0.003 Low

EPSS

Percentile

68.9%

JSON

The verify function in the Stark Bank Node.js ECDSA library (ecdsa-node) 1.1.2 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

CPENameOperatorVersion
starkbank-ecdsalt1.1.3

CPE	Name	Operator	Version
	starkbank-ecdsa	lt	1.1.3

References

github.com/starkbank/ecdsa-node

github.com/starkbank/ecdsa-node/releases/tag/v1.1.3

nvd.nist.gov/vuln/detail/CVE-2021-43571

research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries

0.003 Low

EPSS

Percentile

68.9%

JSON

Related for OSV:GHSA-Q9Q6-F556-GPM7