CVE-2021-43572
- Source
- https://cve.org/CVERecord?id=CVE-2021-43572
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-43572.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-43572
- Aliases
- Published
- 2021-11-09T22:15:07.727Z
- Modified
- 2026-02-19T07:37:14.292145Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The verify function in the Stark Bank Python ECDSA library (aka starkbank-escada or ecdsa-python) before 2.0.1 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.
- References
-
- https://github.com/starkbank/ecdsa-python/commit/d136170666e9510eb63c2572551805807bd4c17f
- https://github.com/starkbank/ecdsa-python/releases/tag/v2.0.1
- https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries/
- https://github.com/starkbank/ecdsa-python/commit/d136170666e9510eb63c2572551805807bd4c17f
- https://research.nccgroup.com/2021/11/08/technical-advisory-arbitrary-signature-forgery-in-stark-bank-ecdsa-libraries/
Affected packages
Git / github.com/starkbank/ecdsa-python
Affected ranges
- Type
- GIT
- Repo
- https://github.com/starkbank/ecdsa-python
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroduced0 Unknown introduced commit / All previous commits are affectedFixed