Miggo Logo

CVE-2021-43572: Improper Verification of Cryptographic Signature in starkbank-ecdsa

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.47322%
Published
11/10/2021
Updated
10/25/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
starkbank-ecdsapip< 2.0.12.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit diff shows critical validation checks were added to the verify() method in ellipticcurve/ecdsa.py. The vulnerability description explicitly states the verify function failed to check for non-zero signatures. The CWE-347 and advisory details confirm this is a signature verification flaw. The patch adds r/s range checks directly in the verify method, confirming this was the vulnerable function.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `v*ri*y` *un*tion in t** St*rk **nk Pyt*on ***S* li*r*ry (st*rk**nk-***s*) *.*.* **ils to ****k t**t t** si*n*tur* is non-z*ro, w*i** *llows *tt**k*rs to *or** si*n*tur*s on *r*itr*ry m*ss***s.

Reasoning

T** *it*u* *ommit *i** s*ows *riti**l v*li**tion ****ks w*r* ***** to t** `v*ri*y()` m*t*o* in `*llipti**urv*/***s*.py`. T** vuln*r**ility **s*ription *xpli*itly st*t*s t** `v*ri*y` *un*tion **il** to ****k *or non-z*ro si*n*tur*s. T** *W*-*** *n* **