Vulnerability Details CVE-2021-32685
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 39.6%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b
- https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3
- https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m
- https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686b
- https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3
- https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36m
Products affected by CVE-2021-32685
-
cpe:2.3:a:togatech:tenvoy:-
-
cpe:2.3:a:togatech:tenvoy:0.6.3
-
cpe:2.3:a:togatech:tenvoy:5.0.0
-
cpe:2.3:a:togatech:tenvoy:5.0.1
-
cpe:2.3:a:togatech:tenvoy:5.1.0
-
cpe:2.3:a:togatech:tenvoy:5.1.1
-
cpe:2.3:a:togatech:tenvoy:6.0.0
-
cpe:2.3:a:togatech:tenvoy:6.0.1
-
cpe:2.3:a:togatech:tenvoy:6.0.2
-
cpe:2.3:a:togatech:tenvoy:6.0.3
-
cpe:2.3:a:togatech:tenvoy:6.0.4
-
cpe:2.3:a:togatech:tenvoy:6.0.5
-
cpe:2.3:a:togatech:tenvoy:6.0.6
-
cpe:2.3:a:togatech:tenvoy:7.0.0
-
cpe:2.3:a:togatech:tenvoy:7.0.1
-
cpe:2.3:a:togatech:tenvoy:7.0.2