Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dependency starkbank-ecdsa forces high-severity vulnerability #1023

Closed
mikeckennedy opened this issue Nov 9, 2021 · 5 comments · Fixed by #1022
Closed

Dependency starkbank-ecdsa forces high-severity vulnerability #1023

mikeckennedy opened this issue Nov 9, 2021 · 5 comments · Fixed by #1022
Labels
status: ready for deploy code ready to be released in next deploy type: security known security issue

Comments

@mikeckennedy
Copy link
Contributor

mikeckennedy commented Nov 9, 2021

Github has alerted us that our project has a high-severity vulnerability starkbank-ecdsa version 1.1.1. The requirements file here forces us to install it (see requirements.txt):

starkbank-ecdsa>=1.0.0,<2.0.0

Please fix this so we don't have to install this library to use sendgrid.

From the github alert:

GHSA-9wx7-jrvc-28mm
high severity
Vulnerable versions: < 2.0.1
Patched version: 2.0.1

An attacker can forge signatures on arbitrary messages that 
will verify for any public key. This may allow attackers to 
authenticate as any user within the Stark Bank platform, and 
bypass signature verification needed to perform operations 
on the platform, such as send payments and transfer funds. 
Additionally, the ability for attackers to forge signatures may 
impact other users and projects using these libraries in different 
and unforeseen ways.

PS - what does it use this library anyway? Seems odd that an email library depends on bank software.

@kapilt
Copy link

kapilt commented Nov 10, 2021

this issue ideally shouldn't be closed till their is a release, as it affects every user of this library and they can't do anything about it till a release exists.

@JenniferMah
Copy link
Contributor

Hi @kapilt I've reopened this issue. The fix will included in the next release on 11/17/21.

@vahedq
Copy link

vahedq commented Nov 11, 2021

Any chance this could be released sooner so we can honor SOC2 Vuln fix SLA without pinning dependency?

@adavis444
Copy link

An earlier security release addressing CVE-2021-43572 would be much appreciated!

I've had to patch my requirements.txt in the interim:

sendgrid @ git+https://github.com/sendgrid/sendgrid-python.git@main # tracking main to avoid a vulnerability, can then be pinned for sendgrid>6.9.0
starkbank-ecdsa>=2.0.1 # not directly required, used by sendgrid, pinned to avoid vulnerability CVE-2021-43572

@JenniferMah
Copy link
Contributor

Thanks for your patience everyone! The fix should be included in v6.9.1 of the Sendgrid-python library.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: ready for deploy code ready to be released in next deploy type: security known security issue
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants