9.1

CVSS Score

Basic Information

CVE ID

CVE-2019-14859

GHSA ID

GHSA-8qxj-f9rh-9fg2

EPSS Score

CWE

CWE-347

Published

4/1/2020

Updated

9/20/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-14859

CVE-2019-14859:
Improper Verification of Cryptographic Signature in Pure-Python ECDSA

A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.

(GitHub Advisory)

9.1

CVSS Score

Basic Information

CVE ID

CVE-2019-14859

GHSA ID

GHSA-8qxj-f9rh-9fg2

EPSS Score

CWE

CWE-347

Published

4/1/2020

Updated

9/20/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ecdsa	pip	< 0.13.3	0.13.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper DER encoding validation. The commit diff shows critical additions to remove_integer (checks for zero-padding in integers) and read_length (minimal length encoding validation). These functions directly handled DER parsing but lacked strict encoding rules enforcement pre-patch. The added tests in test_der.py explicitly target these failure modes, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in *ll pyt*on-***s* v*rsions ***or* *.**.*, w**r* it *i* not *orr**tly v*ri*y w**t**r si*n*tur*s us** **R *n*o*in*. Wit*out t*is v*ri*i**tion, * m*l*orm** si*n*tur* *oul* ** ****pt**, m*kin* t** si*n*tur* m*ll***l*. Wit*out prop*r v*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **R *n*o*in* v*li**tion. T** *ommit *i** s*ows *riti**l ***itions to `r*mov*_int***r` (****ks *or z*ro-p***in* in int***rs) *n* `r***_l*n*t*` (minim*l l*n*t* *n*o*in* v*li**tion). T**s* *un*tions *ir**tly **n*l

9.1

Basic Information

Concerned about an active attack path?

CVE-2019-14859: Improper Verification of Cryptographic Signature in Pure-Python ECDSA

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2019-14859:
Improper Verification of Cryptographic Signature in Pure-Python ECDSA

Vulnerability Intelligence
Miggo AI