CVE-2021-21387

{"id": "CVE-2021-21387", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2021-03-19T16:15:12.780", "references": [{"url": "https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-319"}, {"lang": "en", "value": "CWE-326"}, {"lang": "en", "value": "CWE-358"}]}], "descriptions": [{"lang": "en", "value": "Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0."}, {"lang": "es", "value": "Wrongthink mensajero cifrado punto a punto y de extremo a extremo con PeerJS y Axolotl Ratchet. En wrongthink desde versi\u00f3n 2.0.0 y anteriores a 2.3.0, hab\u00eda un conjunto de vulnerabilidades que causaban una fuerza de cifrado inapropiada. Parte de la clave de identidad secreta fue divulgada por la huella digital usada para la conexi\u00f3n. Adem\u00e1s, el n\u00famero de seguridad fue calculado inapropiadamente. Se calcul\u00f3 usando parte de una de las claves de identidad p\u00fablicas en lugar de derivarse de ambas claves de identidad p\u00fablicas. Esto caus\u00f3 problemas en el c\u00e1lculo de n\u00fameros de seguridad que potencialmente podr\u00edan explotarse en el mundo real. Adem\u00e1s, hubo un nivel de cifrado inadecuado debido al uso de claves DSA de 1024 bits. Todos estos problemas est\u00e1n corregidos en versi\u00f3n 2.3.0"}], "lastModified": "2021-03-25T19:35:55.447", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wrongthink:wrongthink:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF024789-5E37-406E-81A4-99DF296E2A38", "versionEndExcluding": "2.3.0", "versionStartIncluding": "2.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}