High Security Vulnerability CVE-2024-23342 (ecdsa lib)

[tabdunabi]

There is a High security vulnerability CVE-2024-23342 in the ecdsa lib, used by moto(see setup.cfg). We are using moto in our codebase, and the vulnerability is being flagged by our security scans, which is blocking our release.

• When ecdsa lib is required by moto?
• Any possibility to make its installation optional?
• Any chance it can be replaced by another lib, to mitigate the risk?

[tabdunabi]

According to ecdsa GitHub repo (see here), "As such, we don't plan to release a fix to this vulnerability."

[bblommers]

Hi @tabdunabi, ecdsa is a transient dependency for two of our direct dependencies: python-jose and sshpubkeys.

python-jose is planned to be replaced - see #7244
sshpubkeys is required for the EC2 submodule in Moto, and indirectly in a few other submodules (DS, EBS, EFS, among others) that rely on EC2 for some of their operations.

The 'stock' moto installation does not pull in the ecdsa-dependency - i.e. pip install moto is safe. Only if you use any of the listed submodules, and use pip install moto[ec2, ..], will the dependency be downloaded. So it is already optional.

At the end of the day, however, this is a library meant for testing purposes - not to be used with actual data in production. So I don't see how this is an security risk for Moto users.

[tabdunabi]

Thank you @bblommers!, I appreciate your quick response.

[bblommers]

The ecdsa dependency has been removed in Moto 5.0.2, just released.