CVE-2021-32685

Improper Verification of Cryptographic Signature in tenvoy

CVSS 9.8 CRITICALEPSS 0.7%CWE-347

Vexday Risk Score

28Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 9.8EPSS 0.7%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

16 jun 2021Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Productos afectados

TogaTech · tEnvoy

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3 https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m