CVE-2019-14859
First published: Fri Oct 11 2019(Updated: )
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/ecdsa | <0.13.3 | 0.13.3 |
| debian/python-ecdsa | 0.13-3+deb10u1 0.16.1-1 0.18.0-3 | |
| redhat/python-ecdsa | <0.13.3 | 0.13.3 |
| Python-ecdsa Project Python-ecdsa | <0.13.3 | |
| Redhat Ceph Storage | =2.0 | |
| Redhat Ceph Storage | =3.0 | |
| Redhat Openstack | =10 | |
| Redhat Openstack | =13 | |
| Redhat Openstack | =14 | |
| Redhat Openstack | =15 | |
| Redhat Virtualization | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2019-14859
- https://github.com/warner/python-ecdsa/issues/114
- https://github.com/warner/python-ecdsa/pull/115
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859
- https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3
- https://pypi.org/project/ecdsa/0.13.3/
- https://github.com/tlsfuzzer/python-ecdsa/commit/3427fa29f319b27898a28601955807abb44c0830
- https://github.com/tlsfuzzer/python-ecdsa/commit/9080d1d5ac533da0de00466aaffb49bee808bb4e
- https://github.com/tlsfuzzer/python-ecdsa/commit/b0ea52bb3aa9a16c9a4a91fdc0041edbfed10b31
- https://github.com/advisories/GHSA-8qxj-f9rh-9fg2 (Advisory)
- https://github.com/warner/python-ecdsa/pull/124
- https://security-tracker.debian.org/tracker/CVE-2019-14859
- https://en.bitcoinwiki.org/wiki/Transaction_Malleability
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1760845
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1760844
- https://access.redhat.com/errata/RHSA-2021:4702
- https://bugzilla.redhat.com/show_bug.cgi?id=1760843
- https://github.com/pypa/advisory-database/tree/main/vulns/ecdsa/PYSEC-2020-163.yaml
- https://pypi.org/project/ecdsa/0.13.3
Frequently Asked Questions
What is CVE-2019-14859?
CVE-2019-14859 is a vulnerability found in all python-ecdsa versions before 0.13.3. It allows for the acceptance of malformed signatures, making the signature malleable.
What is the severity of CVE-2019-14859?
CVE-2019-14859 has a severity score of 9.1, which is considered critical.
How does CVE-2019-14859 affect software?
CVE-2019-14859 affects python-ecdsa versions before 0.13.3, including packages from pip, redhat, and debian, as well as the Python-ecdsa Project.
How do I fix CVE-2019-14859?
To fix CVE-2019-14859, update to python-ecdsa version 0.13.3 or later.
Where can I find more information about CVE-2019-14859?
You can find more information about CVE-2019-14859 in the National Vulnerability Database (NVD) at https://nvd.nist.gov/vuln/detail/CVE-2019-14859.
- collector/security-tracker-debian
- agent/author
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-14859
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-8qxj-f9rh-9fg2
- agent/last-modified-date
- agent/references
- collector/nvd-cve
- source/NVD
- agent/tags
- collector/github-advisory
- package-manager/debian
- package-manager/redhat
- vendor/python-ecdsa project
- canonical/python-ecdsa project python-ecdsa
- vendor/redhat
- canonical/redhat ceph storage
- version/redhat ceph storage/2.0
- version/redhat ceph storage/3.0
- canonical/redhat openstack
- version/redhat openstack/10
- version/redhat openstack/13
- version/redhat openstack/14
- version/redhat openstack/15
- canonical/redhat virtualization
- version/redhat virtualization/4.0
- package-manager/pip