GHSA-9wx7-jrvc-28mm

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-9wx7-jrvc-28mm/GHSA-9wx7-jrvc-28mm.json
Published
2021-11-08T21:51:18Z
Modified
2022-06-10T02:17:35.406100Z
Details

An attacker can forge signatures on arbitrary messages that will verify for any public key. This may allow attackers to authenticate as any user within the Stark Bank platform, and bypass signature verification needed to perform operations on the platform, such as send payments and transfer funds. Additionally, the ability for attackers to forge signatures may impact other users and projects using these libraries in different and unforeseen ways.

References

Affected packages

PyPI / starkbank-ecdsa

starkbank-ecdsa

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
2.0.1

Affected versions

0.*

0.1
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9

1.*

1.0.0
1.1.0
1.1.1

2.*

2.0.0

Maven / com.starkbank:ecdsa-java

com.starkbank:ecdsa-java

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.0.0
Fixed
1.0.1

Affected versions

1.*

1.0.0

NuGet / starkbank-ecdsa

starkbank-ecdsa

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.1
Fixed
1.3.2

Affected versions

1.*

1.3.1

npm / starkbank-ecdsa

starkbank-ecdsa

Affected ranges

Type
SEMVER
Events
Introduced
1.1.2
Fixed
1.1.3

Affected versions

1.*

1.1.2