PT-2021-19897 · Unknown · Js-Stellar-Sdk
Leighmcculloch
·
Published
2021-07-02
·
Updated
2022-07-02
·
CVE-2021-32738
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
js-stellar-sdk versions prior to 8.2.3
Description
The
Utils.readChallengeTx function in js-stellar-sdk does not verify that the server has signed the transaction, despite its documentation stating that it does. This issue affects applications that use Utils.readChallengeTx without also using Utils.verifyChallengeTxThreshold or Utils.verifyChallengeTxSigners, which do verify the server's signature. The function is used in SEP-10 Stellar Web Authentication to read and validate challenge transactions.Recommendations
For js-stellar-sdk versions prior to 8.2.3, update to version 8.2.3 to ensure that the challenge transaction is completely valid and signed by the server creating the challenge transaction. As a temporary workaround, consider using
Utils.verifyChallengeTxThreshold or Utils.verifyChallengeTxSigners to verify the signatures, including the server signature, on the challenge transaction.Fix
Improper Authentication
Improper Verification of Cryptographic Signature
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Js-Stellar-Sdk