CVE-2021-32685: Improper Verification of Cryptographic Signature

June 16, 2021 (updated June 23, 2021)

tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org., the verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid.

References

nvd.nist.gov/vuln/detail/CVE-2021-32685

Code Behaviors & Features

Detect and mitigate CVE-2021-32685 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →