Improper Verification of Cryptographic Signature in starkbank-ecdsa

2021-11-1020:58:03

Google

osv.dev

0.003 Low

EPSS

Percentile

68.8%

JSON

The verify function in the Stark Bank .NET ECDSA library (ecdsa-dotnet) 1.3.1 fails to check that the signature is non-zero, which allows attackers to forge signatures on arbitrary messages.

CPENameOperatorVersion
starkbank-ecdsaeq1.3.1
starkbank-ecdsaeq1.0.0
starkbank-ecdsaeq1.2.1
starkbank-ecdsaeq1.1.0
starkbank-ecdsaeq0.0.1
starkbank-ecdsaeq1.2.0
starkbank-ecdsaeq1.3.0

Name	Operator	Version
starkbank-ecdsa	eq	1.3.1
starkbank-ecdsa	eq	1.0.0
starkbank-ecdsa	eq	1.2.1
starkbank-ecdsa	eq	1.1.0
starkbank-ecdsa	eq	0.0.1
starkbank-ecdsa	eq	1.2.0
starkbank-ecdsa	eq	1.3.0