CVE-2021-32685 Information

Jun 07, 2022 cve

Description

tEnvoy contains the PGP NaCl and PBKDF2 in node.js and the browser (hashing random encryption decryption signatures conversions) used by TogaTech.org. In versions prior to 7.0.3 the verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In tenvoy.js under the verifyWithMessage method definition within the tEnvoyNaClSigningKey class ensure that the return statement call to this.verify ends in .verified.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3 https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8

Share on: