CVE-2021-32685
Description
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In tenvoy.js under the verifyWithMessage method definition within the tEnvoyNaClSigningKey class, ensure that the return statement call to this.verify ends in .verified.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tenvoynpm | < 7.0.3 | 7.0.3 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/TogaTech/tEnvoy/commit/a121b34a45e289d775c62e58841522891dee686bnvdPatchThird Party AdvisoryWEB
- github.com/TogaTech/tEnvoy/releases/tag/v7.0.3nvdRelease NotesThird Party AdvisoryWEB
- github.com/TogaTech/tEnvoy/security/advisories/GHSA-7r96-8g3x-g36mnvdThird Party AdvisoryWEB
- github.com/advisories/GHSA-7r96-8g3x-g36mghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-32685ghsaADVISORY
News mentions
0No linked articles in our index yet.