Improper Verification of Cryptographic Signature

Description

The verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature of a SHA-512 hash matching the SHA-512 hash of the message even if the signature is invalid.

Recommendation

Update the tenvoy package to the latest compatible version. Followings are version details:

• Affected version(s): < 7.0.3
• Patched version(s): 7.0.3

References

• GHSA-7r96-8g3x-g36m
• CVE-2021-32685
• CWE-347
• CAPEC-310
• OWASP 2021-A2
• OWASP 2021-A6

Related Issues

• Improper Verification of Cryptographic Signature in node-forge - CVE-2022-24772
• Improper Verification of Cryptographic Signature in `node-forge` - node-forge - GHSA-2r2c-g63r-vccr - CVE-2022-24773
• Improper Verification of Cryptographic Signature in node-forge - node-forge - CVE-2022-24771
• Improper Verification of Communication Channel in @theia/plugin-ext - CVE-2021-41038

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

tenvoy