Miggo Logo
Miggo Vulnerability Database
CVE-2021-43570

CVE-2021-43570:
Improper Verification of Cryptographic Signature in starkbank-ecdsa

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-43570
GHSA ID
GHSA-r28h-x6hv-2fq3
EPSS Score
0.44793%
CWE
CWE-347
Published
11/10/2021
Updated
1/20/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.starkbank.ellipticcurve:starkbank-ecdsamaven< 1.0.11.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit diff explicitly shows the addition of range checks for r and s in the verify method of Ecdsa.java. The vulnerability description confirms the absence of these checks in versions <1.0.1 allowed signature forgery. The patch directly addresses this by adding four conditional checks (r >=1, r < N, s >=1, s < N) in the verify() function, confirming this was the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** v*ri*y *un*tion in t** St*rk **nk J*v* ***S* li*r*ry (***s*-j*v*) *.*.* **ils to ****k t**t t** si*n*tur* is non-z*ro, w*i** *llows *tt**k*rs to *or** si*n*tur*s on *r*itr*ry m*ss***s.

Reasoning

T** *it*u* *ommit *i** *xpli*itly s*ows t** ***ition o* r*n** ****ks *or r *n* s in t** `v*ri*y` m*t*o* o* `***s*.j*v*`. T** vuln*r**ility **s*ription *on*irms t** **s*n** o* t**s* ****ks in v*rsions <*.*.* *llow** si*n*tur* *or**ry. T** p*t** *ir**t