CVE-2021-32685

Опубликовано: 16 июн. 2021

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In tenvoy.js under the verifyWithMessage method definition within the tEnvoyNaClSigningKey class, ensure that the return statement call to this.verify ends in .verified.

Ссылки

https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b
Patch
Third Party Advisory
https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3
Release Notes
Third Party Advisory
https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m
Third Party Advisory
https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b
Patch
Third Party Advisory
https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3
Release Notes
Third Party Advisory
https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:togatech:tenvoy:*:*:*:*:*:node.js:*:*

Версия до 7.0.3 (исключая)

EPSS

Процентиль: 39%

0.00177

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-347

Связанные уязвимости

GHSA-5w25-hxp5-h8c9