CVE-2021-32685 - OpenCVE

tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Togatech	Tenvoy

Configuration 1 [-]

cpe:2.3:a:togatech:tenvoy:*:*:*:*:*:node.js:*:*

No data.

References

Link	Providers
https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b
https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3
https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-06-16T00:25:11

Updated: 2024-08-03T23:25:31.108Z

Reserved: 2021-05-12T00:00:00

Link: CVE-2021-32685

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2021-06-16T01:15:06.930

Modified: 2021-06-23T20:09:12.343

Link: CVE-2021-32685

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "tEnvoy", "vendor": "TogaTech", "versions": [{"status": "affected", "version": "< 7.0.3"}]}], "descriptions": [{"lang": "en", "value": "tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-06-16T00:25:11", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3"}], "source": {"advisory": "GHSA-7r96-8g3x-g36m", "discovery": "UNKNOWN"}, "title": "Improper Verification of Cryptographic Signature in tenvoy", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-32685", "STATE": "PUBLIC", "TITLE": "Improper Verification of Cryptographic Signature in tenvoy"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "tEnvoy", "version": {"version_data": [{"version_value": "< 7.0.3"}]}}]}, "vendor_name": "TogaTech"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-347: Improper Verification of Cryptographic Signature"}]}]}, "references": {"reference_data": [{"name": "https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m", "refsource": "CONFIRM", "url": "https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m"}, {"name": "https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b", "refsource": "MISC", "url": "https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b"}, {"name": "https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3", "refsource": "MISC", "url": "https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3"}]}, "source": {"advisory": "GHSA-7r96-8g3x-g36m", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T23:25:31.108Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-32685", "datePublished": "2021-06-16T00:25:11", "dateReserved": "2021-05-12T00:00:00", "dateUpdated": "2024-08-03T23:25:31.108Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:togatech:tenvoy:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "DE588619-F621-4DF3-9A31-2FE424EBBB4B", "versionEndExcluding": "7.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`."}, {"lang": "es", "value": "tEnvoy contiene el PGP, NaCl, y PBKDF2 en el archivo node.js y el navegador (hashing, aleatorio, cifrado, descifrado, firmas, conversiones), usado por TogaTech.org. En versiones anteriores a 7.0.3, el m\u00e9todo \"verifyWithMessage\" del par\u00e1metro \"tEnvoyNaClSigningKey\" siempre devuelve \"true\" para cualquier firma que tenga un hash SHA-512 que coincida con el hash SHA-512 del mensaje, incluso si la firma no es v\u00e1lida. Este problema se ha corregido en la versi\u00f3n 7.0.3. Como soluci\u00f3n: En \"tenvoy.js\", en la definici\u00f3n del m\u00e9todo \"verifyWithMessage\" dentro de la clase \"tEnvoyNaClSigningKey\", aseg\u00farese de que la llamada a la sentencia return de \"this.verify\" termine en \".verified\""}], "id": "CVE-2021-32685", "lastModified": "2021-06-23T20:09:12.343", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-06-16T01:15:06.930", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory", "Release Notes"], "url": "https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "security-advisories@github.com", "type": "Primary"}]}