← Retour aux CVEs

CVE-2021-32685

CRITICAL

9.8

Description

tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`.

Details CVE

Score CVSS v3.19.8

SeveriteCRITICAL

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie6/16/2021

Derniere modification11/21/2024

Sourcenvd

Observations honeypot0

Produits affectes

togatech:tenvoy

Faiblesses (CWE)

CWE-347

References

https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b(security-advisories@github.com)

https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3(security-advisories@github.com)

https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m(security-advisories@github.com)

https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m(af854a3a-2127-422b-91ae-364da2661108)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.