Product Research Enterprise Plans Docs

PyPi: Fastecdsa

CVE-2024-21502

Safety vulnerability ID: 65693

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 24, 2024 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Affected package

fastecdsa

Latest version: 2.3.2

Fast elliptic curve digital signatures

Affected versions

Fixed versions

Vulnerability changelog

Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable's actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability. See CVE-2024-21502.

MISC:https://gist.github.com/keltecc/49da037072276f21b005a8337c15db26: https://gist.github.com/keltecc/49da037072276f21b005a8337c15db26
MISC:https://github.com/AntonKueltz/fastecdsa/blob/v2.3.1/src/curveMath.c%23L210: https://github.com/AntonKueltz/fastecdsa/blob/v2.3.1/src/curveMath.c%23L210
MISC:https://github.com/AntonKueltz/fastecdsa/commit/57fc5689c95d649dab7ef60cc99ac64589f01e36: https://github.com/AntonKueltz/fastecdsa/commit/57fc5689c95d649dab7ef60cc99ac64589f01e36
MISC:https://security.snyk.io/vuln/SNYK-PYTHON-FASTECDSA-6262045: https://security.snyk.io/vuln/SNYK-PYTHON-FASTECDSA-6262045

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application