ecdsa@0.15 vulnerabilities

ECDSA cryptographic signature library (pure python)

Direct Vulnerabilities

Known vulnerabilities in the ecdsa package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Missing Encryption of Sensitive Data

ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license.

Affected versions of this package are vulnerable to Missing Encryption of Sensitive Data due to insufficient protection. For a sophisticated attacker observing just one operation with a private key will be sufficient to completely reconstruct the private key.

Note: Fixes for side-channel vulnerabilities will not be developed.

How to fix Missing Encryption of Sensitive Data?

There is no fixed version for ecdsa.

[0,)
  • H
Timing Attack

ecdsa is an easy-to-use implementation of ECDSA cryptography (Elliptic Curve Digital Signature Algorithm), implemented purely in Python, released under the MIT license.

Affected versions of this package are vulnerable to Timing Attack via the sign_digest API function. An attacker can leak the internal nonce which may allow for private key discovery by timing signatures.

Notes:

  1. This library was not designed with security in mind. If you are processing data that needs to be protected we suggest you use a quality wrapper around OpenSSL. pyca/cryptography is one example of such a wrapper

  2. That means both ECDSA signatures, key generation and ECDH operations are affected. ECDSA signature verification is unaffected.

  3. The maintainers don't plan to release a fix to this vulnerability.

How to fix Timing Attack?

There is no fixed version for ecdsa.

[0,)