CVE-2021-21387

Partial secret key disclosure, improper safety number calculation, & inadequate encryption strength

Description

Wrongthink peer-to-peer, end-to-end encrypted messenger with PeerJS and Axolotl ratchet. In wrongthink from version 2.0.0 and before 2.3.0 there was a set of vulnerabilities causing inadequate encryption strength. Part of the secret identity key was disclosed by the fingerprint used for connection. Additionally, the safety number was improperly calculated. It was computed using part of one of the public identity keys instead of being derived from both public identity keys. This caused issues in computing safety numbers which would potentially be exploitable in the real world. Additionally there was inadequate encryption strength due to use of 1024-bit DSA keys. These issues are all fixed in version 2.3.0.

Category

8.1
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.06%
Third-Party Advisory github.com
Affected: parabirb wrongthink
Published at:
Updated at:

References

Link Tags
https://github.com/parabirb/wrongthink/security/advisories/GHSA-5jxh-6378-rg7v third party advisory

Frequently Asked Questions

What is the severity of CVE-2021-21387?
CVE-2021-21387 has been scored as a high severity vulnerability.
How to fix CVE-2021-21387?
To fix CVE-2021-21387, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2021-21387 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-21387 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-21387?
CVE-2021-21387 affects parabirb wrongthink.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.