CVE-2021-32685
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In tenvoy.js under the verifyWithMessage method definition within the tEnvoyNaClSigningKey class, ensure that the return statement call to this.verify ends in .verified.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| TogaTech | tEnvoy | < 7.0.3 | affected |
Weaknesses
- CWE-347: CWE-347: Improper Verification of Cryptographic Signature
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m
- https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b
- https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3
References
- https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m
- https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b
- https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.