CVE-2021-32685

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-32685

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-32685.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-32685

Aliases

GHSA-5w25-hxp5-h8c9

Related

GHSA-7r96-8g3x-g36m

Published

2021-06-16T01:15:06.930Z

Modified

2025-11-14T11:55:59.844441Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In tenvoy.js under the verifyWithMessage method definition within the tEnvoyNaClSigningKey class, ensure that the return statement call to this.verify ends in .verified.

References

Affected packages

Git / github.com/togatech/tenvoy

Affected ranges

Type: GIT
Repo: https://github.com/togatech/tenvoy
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

455c90054b65a675933622a205fac27ee5647c55

Fixed

a121b34a45e289d775c62e58841522891dee686b

Affected versions

v0.*

v0.6.3

v5.*

v5.0.0

v5.0.1

v5.1.0

v5.1.1

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.0.5

v6.0.6

v7.*

v7.0.0

v7.0.1

v7.0.2