Vulnerability Description
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In `tenvoy.js` under the `verifyWithMessage` method definition within the `tEnvoyNaClSigningKey` class, ensure that the return statement call to `this.verify` ends in `.verified`.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Togatech | Tenvoy | < 7.0.3 |
Related Weaknesses (CWE)
References
- https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee68PatchThird Party Advisory
- https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3Release NotesThird Party Advisory
- https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36mThird Party Advisory
- https://github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee68PatchThird Party Advisory
- https://github.com/TogaTech/tEnvoy/releases/tag/v7.0.3Release NotesThird Party Advisory
- https://github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36mThird Party Advisory
FAQ
What is CVE-2021-32685?
CVE-2021-32685 is a vulnerability with a CVSS score of 9.8 (CRITICAL). tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWi...
How severe is CVE-2021-32685?
CVE-2021-32685 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-32685?
Check the references section above for vendor advisories and patch information. Affected products include: Togatech Tenvoy.