← Volver a CVEs

CVE-2021-32685

CRITICAL

9.8

Descripcion

tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`.

Detalles CVE

Puntuacion CVSS v3.19.8

SeveridadCRITICAL

Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vector de ataqueNETWORK

ComplejidadLOW

Privilegios requeridosNONE

Interaccion usuarioNONE

Publicado6/16/2021

Ultima modificacion11/21/2024

Fuentenvd

Avistamientos honeypot0

Productos afectados

togatech:tenvoy

Debilidades (CWE)

CWE-347

Referencias

https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b(security-advisories@github.com)

https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3(security-advisories@github.com)

https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m(security-advisories@github.com)

https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.