CVE-2021-21387 - OpenCVE

Vendors	Products
Wrongthink	Wrongthink

Link	Providers
https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v

{"containers": {"cna": {"affected": [{"product": "wrongthink", "vendor": "parabirb", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.2.0"}]}], "descriptions": [{"lang": "en", "value": "Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319: Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-326", "description": "CWE-326: Inadequate Encryption Strength", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-358", "description": "CWE-358: Improperly Implemented Security Check for Standard", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-19T15:25:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v"}], "source": {"advisory": "GHSA-5jxh-6378-rg7v", "discovery": "UNKNOWN"}, "title": "Partial secret key disclosure, improper safety number calculation, & inadequate encryption strength", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21387", "STATE": "PUBLIC", "TITLE": "Partial secret key disclosure, improper safety number calculation, & inadequate encryption strength"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "wrongthink", "version": {"version_data": [{"version_value": ">= 2.0.0, < 2.2.0"}]}}]}, "vendor_name": "parabirb"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-319: Cleartext Transmission of Sensitive Information"}]}, {"description": [{"lang": "eng", "value": "CWE-326: Inadequate Encryption Strength"}]}, {"description": [{"lang": "eng", "value": "CWE-358: Improperly Implemented Security Check for Standard"}]}]}, "references": {"reference_data": [{"name": "https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v", "refsource": "CONFIRM", "url": "https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v"}]}, "source": {"advisory": "GHSA-5jxh-6378-rg7v", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:09:15.979Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21387", "datePublished": "2021-03-19T15:25:12", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2024-08-03T18:09:15.979Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wrongthink:wrongthink:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF024789-5E37-406E-81A4-99DF296E2A38", "versionEndExcluding": "2.3.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0."}, {"lang": "es", "value": "Wrongthink mensajero cifrado punto a punto y de extremo a extremo con PeerJS y Axolotl Ratchet. En wrongthink desde versi\u00f3n 2.0.0 y anteriores a 2.3.0, hab\u00eda un conjunto de vulnerabilidades que causaban una fuerza de cifrado inapropiada. Parte de la clave de identidad secreta fue divulgada por la huella digital usada para la conexi\u00f3n. Adem\u00e1s, el n\u00famero de seguridad fue calculado inapropiadamente. Se calcul\u00f3 usando parte de una de las claves de identidad p\u00fablicas en lugar de derivarse de ambas claves de identidad p\u00fablicas. Esto caus\u00f3 problemas en el c\u00e1lculo de n\u00fameros de seguridad que potencialmente podr\u00edan explotarse en el mundo real. Adem\u00e1s, hubo un nivel de cifrado inadecuado debido al uso de claves DSA de 1024 bits. Todos estos problemas est\u00e1n corregidos en versi\u00f3n 2.3.0"}], "id": "CVE-2021-21387", "lastModified": "2021-03-25T19:35:55.447", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-03-19T16:15:12.780", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}, {"lang": "en", "value": "CWE-326"}, {"lang": "en", "value": "CWE-358"}], "source": "security-advisories@github.com", "type": "Primary"}]}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object