CVE-2021-21387

Name of the Vulnerable Software and Affected Versions Wrongthink versions 2.0.0 through 2.2.x

Description The issue concerns inadequate encryption strength in the Wrongthink peer-to-peer, end-to-end encrypted messenger. Part of the secret identity key was disclosed by the fingerprint used for connection. The safety number was improperly calculated, using part of one of the public identity keys instead of being derived from both public identity keys, potentially leading to exploitable issues in the real world. Additionally, there was inadequate encryption strength due to the use of 1024-bit DSA keys.

Recommendations For versions 2.0.0 through 2.2.x, update to version 2.3.0 to resolve the issues with inadequate encryption strength and improper safety number calculation. As a temporary workaround, consider restricting access to sensitive information until the update is applied.