Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/fastecdsa@1.0.1b1
Typepypi
Namespace
Namefastecdsa
Version1.0.1b1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.3.2
Latest_non_vulnerable_version2.3.2
Affected_by_vulnerabilities
0
url VCID-8nfq-s4yw-5yab
vulnerability_id VCID-8nfq-s4yw-5yab
summary Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.
references
0
reference_url https://gist.github.com/keltecc/49da037072276f21b005a8337c15db26
reference_id
reference_type
scores
url https://gist.github.com/keltecc/49da037072276f21b005a8337c15db26
1
reference_url https://github.com/AntonKueltz/fastecdsa
reference_id
reference_type
scores
url https://github.com/AntonKueltz/fastecdsa
2
reference_url https://github.com/AntonKueltz/fastecdsa/blob/v2.3.1/src/curveMath.c%23L210
reference_id
reference_type
scores
url https://github.com/AntonKueltz/fastecdsa/blob/v2.3.1/src/curveMath.c%23L210
3
reference_url https://github.com/AntonKueltz/fastecdsa/commit/57fc5689c95d649dab7ef60cc99ac64589f01e36
reference_id
reference_type
scores
url https://github.com/AntonKueltz/fastecdsa/commit/57fc5689c95d649dab7ef60cc99ac64589f01e36
4
reference_url https://security.snyk.io/vuln/SNYK-PYTHON-FASTECDSA-6262045
reference_id
reference_type
scores
url https://security.snyk.io/vuln/SNYK-PYTHON-FASTECDSA-6262045
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-21502
reference_id CVE-2024-21502
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-21502
6
reference_url https://github.com/advisories/GHSA-ph86-g9r3-5qw4
reference_id GHSA-ph86-g9r3-5qw4
reference_type
scores
url https://github.com/advisories/GHSA-ph86-g9r3-5qw4
fixed_packages
0
url pkg:pypi/fastecdsa@2.3.2
purl pkg:pypi/fastecdsa@2.3.2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/fastecdsa@2.3.2
aliases CVE-2024-21502, GHSA-ph86-g9r3-5qw4, PYSEC-2024-39
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8nfq-s4yw-5yab
1
url VCID-wu1n-6amw-tfd3
vulnerability_id VCID-wu1n-6amw-tfd3
summary An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1, the signature verification fails even if the signature is correct. This behavior is not solely a usability problem. There are some threat models where an attacker can benefit by successfully guessing users for whom signature verification will fail.
references
0
reference_url https://github.com/advisories/GHSA-56wv-2wr9-3h9r
reference_id
reference_type
scores
url https://github.com/advisories/GHSA-56wv-2wr9-3h9r
1
reference_url https://github.com/AntonKueltz/fastecdsa
reference_id
reference_type
scores
url https://github.com/AntonKueltz/fastecdsa
2
reference_url https://github.com/AntonKueltz/fastecdsa/commit/4a16daeaf139be20654ef58a9fe4c79dc030458c
reference_id
reference_type
scores
url https://github.com/AntonKueltz/fastecdsa/commit/4a16daeaf139be20654ef58a9fe4c79dc030458c
3
reference_url https://github.com/AntonKueltz/fastecdsa/commit/7b64e3efaa806b4daaf73bb5172af3581812f8de
reference_id
reference_type
scores
url https://github.com/AntonKueltz/fastecdsa/commit/7b64e3efaa806b4daaf73bb5172af3581812f8de
4
reference_url https://github.com/AntonKueltz/fastecdsa/commit/e592f106edd5acf6dacedfab2ad16fe6c735c9d1
reference_id
reference_type
scores
url https://github.com/AntonKueltz/fastecdsa/commit/e592f106edd5acf6dacedfab2ad16fe6c735c9d1
5
reference_url https://github.com/AntonKueltz/fastecdsa/issues/52
reference_id
reference_type
scores
url https://github.com/AntonKueltz/fastecdsa/issues/52
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/fastecdsa/PYSEC-2020-42.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/fastecdsa/PYSEC-2020-42.yaml
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2020-12607
reference_id CVE-2020-12607
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2020-12607
fixed_packages
0
url pkg:pypi/fastecdsa@2.1.2
purl pkg:pypi/fastecdsa@2.1.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8nfq-s4yw-5yab
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/fastecdsa@2.1.2
aliases CVE-2020-12607, GHSA-56wv-2wr9-3h9r, PYSEC-2020-42
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wu1n-6amw-tfd3
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/fastecdsa@1.0.1b1