← Back to CVEs

CVE-2021-32685

CRITICAL

9.8

Description

tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`.

CVE Details

CVSS v3.1 Score9.8

SeverityCRITICAL

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published6/16/2021

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

togatech:tenvoy

Weaknesses (CWE)

CWE-347

References

https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b(security-advisories@github.com)

https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3(security-advisories@github.com)

https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m(security-advisories@github.com)

https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.