Homepage
About Snyk

ecdsa@0.11 vulnerabilities

ECDSA cryptographic signature library (pure python)

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the ecdsa package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Missing Encryption of Sensitive Data

ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license.

Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data due to insufficient protection. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key.

Note: Fixes for side-channel vulnerabilities will not be developed.

How to fix Missing Encryption of Sensitive Data?

There is no fixed version for ecdsa.

[0,)
  • H
Timing Attack

ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license.

Affected versions of this package are vulnerable to Timing Attack via the sign_digest API function. An attacker can leak the internal nonce which may allow for private key discovery by timing signatures.

Notes:

  1. This library was not designed with security in mind. If you are processing data that needs to be protected we suggest you use a quality wrapper around OpenSSL. pyca/cryptography is one example of such a wrapper

  2. That means both ECDSA signatures, key generation and ECDH operations are affected. ECDSA signature verification is unaffected.

  3. The maintainers don't plan to release a fix to this vulnerability.

How to fix Timing Attack?

There is no fixed version for ecdsa.

[0,)
  • M
Cryptographic Issues

ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license.

Affected versions of this package are vulnerable to Cryptographic Issues. A flaw exists where signatures used by DER encoding are not correctly verified. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.

How to fix Cryptographic Issues?

Upgrade ecdsa to version 0.13.3 or higher.

[,0.13.3)
  • L
Denial of Service (DoS)

ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license.

Affected versions of this package are vulnerable to Denial of Service (DoS). During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service.

How to fix Denial of Service (DoS)?

Upgrade ecdsa to version 0.13.3 or higher.

[,0.13.3)
  • M
Timing Attack

ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license.

Affected versions of this package are vulnerable to Timing Attack. Practical recovery of the long-term private key generated by the library is possible under certain conditions. Leakage of bit-length of a scalar during scalar multiplication is possible on an elliptic curve which might allow practical recovery of the long-term private key.

How to fix Timing Attack?

Upgrade ecdsa to version 0.14 or higher.

[,0.14)
Go back to all versions of this package