{"id":"PYSEC-2021-426","details":"The verify function in the Stark Bank Python ECDSA library (ecdsa-python) 2.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.","aliases":["CVE-2021-43572","GHSA-92vm-mxjf-jqf3"],"modified":"2023-11-08T04:07:10.830168Z","published":"2021-11-09T22:15:00Z","references":[{"type":"ADVISORY","url":"https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries/"},{"type":"WEB","url":"https://github.com/starkbank/ecdsa-python/releases/tag/v2.0.1"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-92vm-mxjf-jqf3"}],"affected":[{"package":{"name":"starkbank-ecdsa","ecosystem":"PyPI","purl":"pkg:pypi/starkbank-ecdsa"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.1"}]}],"versions":["0.1","0.1.1","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","1.0.0","1.1.0","1.1.1","2.0.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/starkbank-ecdsa/PYSEC-2021-426.yaml"}}],"schema_version":"1.7.3"}