GHSA-9wx7-jrvc-28mm – starkbank-ecdsa

Package

Manager: npm
Name: starkbank-ecdsa
Vulnerable Version: >=0 <2.0.1 || =1.3.1 || >=1.3.1 <1.3.2 || =1.1.2 || >=1.1.2 <1.1.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: N/A pctlN/A

Details

Signature verification vulnerability in Stark Bank ecdsa libraries An attacker can forge signatures on arbitrary messages that will verify for any public key. This may allow attackers to authenticate as any user within the Stark Bank platform, and bypass signature verification needed to perform operations on the platform, such as send payments and transfer funds. Additionally, the ability for attackers to forge signatures may impact other users and projects using these libraries in different and unforeseen ways.

Metadata

Created: 2021-11-08T21:51:18Z
Modified: 2021-11-08T21:34:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-9wx7-jrvc-28mm/GHSA-9wx7-jrvc-28mm.json
CWE IDs: ["CWE-347"]
Alternative ID: N/A
Finding: F163
Auto approve: 1