Dependency starkbank-ecdsa forces high-severity vulnerability

[mikeckennedy]

Github has alerted us that our project has a high-severity vulnerability starkbank-ecdsa version 1.1.1. The requirements file here forces us to install it (see requirements.txt):

starkbank-ecdsa>=1.0.0,<2.0.0

Please fix this so we don't have to install this library to use sendgrid.

From the github alert:

GHSA-9wx7-jrvc-28mm
high severity
Vulnerable versions: < 2.0.1
Patched version: 2.0.1

An attacker can forge signatures on arbitrary messages that 
will verify for any public key. This may allow attackers to 
authenticate as any user within the Stark Bank platform, and 
bypass signature verification needed to perform operations 
on the platform, such as send payments and transfer funds. 
Additionally, the ability for attackers to forge signatures may 
impact other users and projects using these libraries in different 
and unforeseen ways.

PS - what does it use this library anyway? Seems odd that an email library depends on bank software.

[kapilt]

this issue ideally shouldn't be closed till their is a release, as it affects every user of this library and they can't do anything about it till a release exists.

[JenniferMah]

Hi @kapilt I've reopened this issue. The fix will included in the next release on 11/17/21.

[vahedq]

Any chance this could be released sooner so we can honor SOC2 Vuln fix SLA without pinning dependency?

[adavis444]

An earlier security release addressing CVE-2021-43572 would be much appreciated!

I've had to patch my requirements.txt in the interim:

sendgrid @ git+https://github.com/sendgrid/sendgrid-python.git@main # tracking main to avoid a vulnerability, can then be pinned for sendgrid>6.9.0
starkbank-ecdsa>=2.0.1 # not directly required, used by sendgrid, pinned to avoid vulnerability CVE-2021-43572

[JenniferMah]

Thanks for your patience everyone! The fix should be included in v6.9.1 of the Sendgrid-python library.