[MAVEN:GHSA-R28H-X6HV-2FQ3] Improper Verification of Cryptographic Signature in starkbank-ecdsa

Severity Critical

Affected Packages 1

Fixed Packages 1

CVEs 1

The verify function in the Stark Bank Java ECDSA library (ecdsa-java) 1.0.0 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

Package	Affected Version
pkg:maven/com.starkbank/starkbank-ecdsa	< 1.0.1

Package	Fixed Version
pkg:maven/com.starkbank/starkbank-ecdsa	= 1.0.1

ID: MAVEN:GHSA-R28H-X6HV-2FQ3
Severity: critical
URL: https://github.com/advisories/GHSA-r28h-x6hv-2fq3
Published: 2021-11-10T20:48:00
(2 years ago)
Modified: 2023-04-19T20:27:02
(17 months ago)
Rights: Maven Security Team

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2021-43570
			https://github.com/starkbank/ecdsa-java/releases/tag/v1.0.1
			https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries/
			https://github.com/starkbank/ecdsa-java/pull/16
			https://github.com/starkbank/ecdsa-java/commit/ed22e484186d6c66d3686bfe39d01bdbabf219b6
			https://github.com/advisories/GHSA-r28h-x6hv-2fq3

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/com.starkbank/starkbank-ecdsa	com.starkbank	starkbank-ecdsa	< 1.0.1
Fixed	pkg:maven/com.starkbank/starkbank-ecdsa	com.starkbank	starkbank-ecdsa	= 1.0.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date