ecdsa dependency is subject to CVE-2024-23342 and should be upgraded

[rbernotas]

Describe the bug

See GHSA-wj6h-64fc-37mp for the description of the vulnerability.

How to Reproduce

data.all is currently using ecdsa 0.18.0

deploy/custom_resources/custom_authorizer/requirements.txt:ecdsa==0.18.0

Expected behavior

No response

Your project

No response

Screenshots

No response

OS

n/a

Python version

n/a

AWS data.all version

v2.6

Additional context

No response

[noah-paige]

Hi @rbernotas - thank you for raising this issue. We are aware of the current vulnerability and a determining the best way forward because as of now there is no patched version for the above and no planned fix.

To note in documentation of this vulnerability - 'ECDSA signature verification is unaffected'. @TejasRGitHub could you confirm how exactly we use ecdsa library in the custom authorizer today?

I see we do not explicitly reference ecdsa but it is a child dependency for other packages like python-jose

++ Additional Call Out: This vulnerability is specific to custom_auth use cases with data.all

[TejasRGitHub]

Hi @noah-paige , let me do some digging on this and get back to you on this gh issue

[TejasRGitHub]

Hi @noah-paige , did some digging on this website - https://pypi.org/project/python-jose/. If installing python-jose with cryptography like pip install 'python-jose[cryptography]' the dependencies which are installed for this package are -

cffi==1.17.1
cryptography==43.0.1
ecdsa==0.19.0
pyasn1==0.6.1
pycparser==2.22
python-jose==3.3.0
rsa==4.9
six==1.16.0

This list uses ecdsa==0.19.0
I will check and test on my aws deployed data.all to see if the custom auth still works as expected.