Dependency starkbank-ecdsa forces high-severity vulnerability
mikeckennedy opened this issue ยท 5 comments
Github has alerted us that our project has a high-severity vulnerability starkbank-ecdsa version 1.1.1. The requirements file here forces us to install it (see requirements.txt):
starkbank-ecdsa>=1.0.0,<2.0.0
Please fix this so we don't have to install this library to use sendgrid.
From the github alert:
GHSA-9wx7-jrvc-28mm
high severity
Vulnerable versions: < 2.0.1
Patched version: 2.0.1
An attacker can forge signatures on arbitrary messages that
will verify for any public key. This may allow attackers to
authenticate as any user within the Stark Bank platform, and
bypass signature verification needed to perform operations
on the platform, such as send payments and transfer funds.
Additionally, the ability for attackers to forge signatures may
impact other users and projects using these libraries in different
and unforeseen ways.
PS - what does it use this library anyway? Seems odd that an email library depends on bank software.
this issue ideally shouldn't be closed till their is a release, as it affects every user of this library and they can't do anything about it till a release exists.
Hi @kapilt I've reopened this issue. The fix will included in the next release on 11/17/21.
Any chance this could be released sooner so we can honor SOC2 Vuln fix SLA without pinning dependency?
An earlier security release addressing CVE-2021-43572 would be much appreciated!
I've had to patch my requirements.txt in the interim:
sendgrid @ git+https://github.com/sendgrid/sendgrid-python.git@main # tracking main to avoid a vulnerability, can then be pinned for sendgrid>6.9.0
starkbank-ecdsa>=2.0.1 # not directly required, used by sendgrid, pinned to avoid vulnerability CVE-2021-43572Thanks for your patience everyone! The fix should be included in v6.9.1 of the Sendgrid-python library.