ecdsa@0.19.1 vulnerabilities

ECDSA cryptographic signature library (pure python)

latest version

0.19.1

first published

14 years ago

latest version published

22 days ago

licenses detected

MIT
[0,)

View ecdsa package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the ecdsa package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
H Missing Encryption of Sensitive Data ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license. Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data due to insufficient protection. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key. Note: Fixes for side-channel vulnerabilities will not be developed. How to fix Missing Encryption of Sensitive Data? There is no fixed version for `ecdsa`.	[0,)
H Timing Attack ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license. Affected versions of this package are vulnerable to Timing Attack via the `sign_digest` API function. An attacker can leak the internal nonce which may allow for private key discovery by timing signatures. Notes: This library was not designed with security in mind. If you are processing data that needs to be protected we suggest you use a quality wrapper around OpenSSL. `pyca/cryptography` is one example of such a wrapper That means both `ECDSA` signatures, key generation and `ECDH` operations are affected. `ECDSA` signature verification is unaffected. The maintainers don't plan to release a fix to this vulnerability. How to fix Timing Attack? There is no fixed version for `ecdsa`.	[0,)

Missing Encryption of Sensitive Data

ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license.

Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data due to insufficient protection. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key.

Note: Fixes for side-channel vulnerabilities will not be developed.

How to fix Missing Encryption of Sensitive Data?

There is no fixed version for ecdsa.

[0,)

Timing Attack

ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license.

Affected versions of this package are vulnerable to Timing Attack via the sign_digest API function. An attacker can leak the internal nonce which may allow for private key discovery by timing signatures.

Notes:

This library was not designed with security in mind. If you are processing data that needs to be protected we suggest you use a quality wrapper around OpenSSL. pyca/cryptography is one example of such a wrapper
That means both ECDSA signatures, key generation and ECDH operations are affected. ECDSA signature verification is unaffected.
The maintainers don't plan to release a fix to this vulnerability.

How to fix Timing Attack?

There is no fixed version for ecdsa.

[0,)

Go back to all versions of this package