CVE-2021-32738

Description

The `Utils.readChallengeTx` function used in [SEP-10 Stellar Web Authentication](https://github.com/stellar/stellar-protocol/blob/master/ecosystem/sep-0010.md) states in its function documentation that it reads and validates the challenge transaction including verifying that the `serverAccountID` has signed the transaction. The function does not verify that the server has signed the transaction and has been fixed so that it does in v8.2.3. Applications that also used `Utils.verifyChallengeTxThreshold` or `Utils.verifyChallengeTxSigners` to verify the signatures including the server signature on the challenge transaction are unaffected as those functions verify the server signed the transaction. Applications calling `Utils.readChallengeTx` should update to v8.2.3 to ensure that the challenge transaction is completely valid and signed by the server creating the challenge transaction.

How to fix CVE-2021-32738

To remediate CVE-2021-32738, upgrade the affected package to a fixed version below.

• —upgrade to 8.2.3 or later

Is CVE-2021-32738 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 8.2.3

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-32738
• WEBgithub.com/stellar/js-stellar-sdk/commit/6f0bb889c2d10b431ddd5f4a1bcdd519c80430b3
• WEBgithub.com/stellar/js-stellar-sdk/releases/tag/v8.2.3
• WEBgithub.com/stellar/js-stellar-sdk/security/advisories/GHSA-6cgh-hjpw-q3gq