GHSA-9wx7-jrvc-28mm

Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-9wx7-jrvc-28mm/GHSA-9wx7-jrvc-28mm.json

Published

2021-11-08T21:51:18Z

Modified

2023-04-11T01:46:13.182818Z

Details

An attacker can forge signatures on arbitrary messages that will verify for any public key. This may allow attackers to authenticate as any user within the Stark Bank platform, and bypass signature verification needed to perform operations on the platform, such as send payments and transfer funds. Additionally, the ability for attackers to forge signatures may impact other users and projects using these libraries in different and unforeseen ways.

References

Affected packages

PyPI / starkbank-ecdsa

starkbank-ecdsa

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0

Fixed

2.0.1

Affected versions

0.*

0.1

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.1.7

0.1.8

0.1.9

1.*

1.0.0

1.1.0

1.1.1

2.*

2.0.0

Maven / com.starkbank:ecdsa-java

com.starkbank:ecdsa-java

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.0.0

Fixed

1.0.1

Affected versions

1.*

1.0.0

NuGet / starkbank-ecdsa

starkbank-ecdsa

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.1

Fixed

1.3.2

Affected versions

1.*

1.3.1

npm / starkbank-ecdsa

starkbank-ecdsa

Affected ranges

Type: SEMVER
Events: Introduced

1.1.2

Fixed

1.1.3

Affected versions

1.*

1.1.2