GHSA-5w25-hxp5-h8c9: Duplicate Advisory: Improper Verification of Cryptographic Signature
(updated )
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-7r96-8g3x-g36m. This link is maintained to preserve external references.
Original Description
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the verifyWithMessage method of tEnvoyNaClSigningKey always returns true for any signature that has a SHA-512 hash matching the SHA-512 hash of the message even if the signature was invalid. This issue is patched in version 7.0.3. As a workaround: In tenvoy.js under the verifyWithMessage method definition within the tEnvoyNaClSigningKey class, ensure that the return statement call to this.verify ends in .verified.
References
Code Behaviors & Features
Detect and mitigate GHSA-5w25-hxp5-h8c9 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →