forked from golang/vulndb
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathGO-2020-0004.yaml
27 lines (26 loc) · 1.07 KB
/
GO-2020-0004.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
module: github.com/nanobox-io/golang-nanoauth
versions:
- introduced: v0.0.0-20160722212129-ac0cc4484ad4
fixed: v0.0.0-20200131131040-063a3fb69896
description: |
If any of the `ListenAndServe` functions are called with an empty token,
token authentication is disabled globally for all listeners.
Also, a minor timing side channel was present allowing attackers with
very low latency and able to make a lot of requests to potentially
recover the token.
published: 2021-04-14T12:00:00Z
credit: "@bouk"
symbols:
- Auth.ServerHTTP
- Auth.ListenAndServeTLS
- Auth.ListenAndServe
links:
pr: https://github.com/nanobox-io/golang-nanoauth/pull/5
commit: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
cve_metadata:
id: CVE-9999-0003
cwe: "CWE-305: Authentication Bypass by Primary Weakness"
description: |
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between
v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe
is called with an empty token.