CVE-2021-21387 - OpenCVE

Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Wrongthink	Wrongthink

Configuration 1 [-]

cpe:2.3:a:wrongthink:wrongthink:*:*:*:*:*:*:*:*

References

Link	Resource
https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: GitHub_M

Published: 2021-03-19T15:25:12

Updated: 2021-03-19T15:25:12

Reserved: 2020-12-22T00:00:00

Link: CVE-2021-21387

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-03-19T16:15:12.780

Modified: 2021-03-25T19:35:55.447

Link: CVE-2021-21387

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "wrongthink", "vendor": "parabirb", "versions": [{"status": "affected", "version": ">= 2.0.0, < 2.2.0"}]}], "descriptions": [{"lang": "en", "value": "Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-319", "description": "CWE-319: Cleartext Transmission of Sensitive Information", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-326", "description": "CWE-326: Inadequate Encryption Strength", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-358", "description": "CWE-358: Improperly Implemented Security Check for Standard", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-19T15:25:12", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v"}], "source": {"advisory": "GHSA-5jxh-6378-rg7v", "discovery": "UNKNOWN"}, "title": "Partial secret key disclosure, improper safety number calculation, & inadequate encryption strength", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-21387", "STATE": "PUBLIC", "TITLE": "Partial secret key disclosure, improper safety number calculation, & inadequate encryption strength"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "wrongthink", "version": {"version_data": [{"version_value": ">= 2.0.0, < 2.2.0"}]}}]}, "vendor_name": "parabirb"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-319: Cleartext Transmission of Sensitive Information"}]}, {"description": [{"lang": "eng", "value": "CWE-326: Inadequate Encryption Strength"}]}, {"description": [{"lang": "eng", "value": "CWE-358: Improperly Implemented Security Check for Standard"}]}]}, "references": {"reference_data": [{"name": "https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v", "refsource": "CONFIRM", "url": "https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v"}]}, "source": {"advisory": "GHSA-5jxh-6378-rg7v", "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-21387", "datePublished": "2021-03-19T15:25:12", "dateReserved": "2020-12-22T00:00:00", "dateUpdated": "2021-03-19T15:25:12", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wrongthink:wrongthink:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF024789-5E37-406E-81A4-99DF296E2A38", "versionEndExcluding": "2.3.0", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0."}, {"lang": "es", "value": "Wrongthink mensajero cifrado punto a punto y de extremo a extremo con PeerJS y Axolotl Ratchet. En wrongthink desde versi\u00f3n 2.0.0 y anteriores a 2.3.0, hab\u00eda un conjunto de vulnerabilidades que causaban una fuerza de cifrado inapropiada. Parte de la clave de identidad secreta fue divulgada por la huella digital usada para la conexi\u00f3n. Adem\u00e1s, el n\u00famero de seguridad fue calculado inapropiadamente. Se calcul\u00f3 usando parte de una de las claves de identidad p\u00fablicas en lugar de derivarse de ambas claves de identidad p\u00fablicas. Esto caus\u00f3 problemas en el c\u00e1lculo de n\u00fameros de seguridad que potencialmente podr\u00edan explotarse en el mundo real. Adem\u00e1s, hubo un nivel de cifrado inadecuado debido al uso de claves DSA de 1024 bits. Todos estos problemas est\u00e1n corregidos en versi\u00f3n 2.3.0"}], "id": "CVE-2021-21387", "lastModified": "2021-03-25T19:35:55.447", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-03-19T16:15:12.780", "references": [{"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-319"}, {"lang": "en", "value": "CWE-326"}, {"lang": "en", "value": "CWE-358"}], "source": "security-advisories@github.com", "type": "Primary"}]}