blob: 8ec9c6484eab7976bb442b02e1f089825e1d6e40 [file] [log] [blame]
module: github.com/nanobox-io/golang-nanoauth
versions:
- introduced: v0.0.0-20160722212129-ac0cc4484ad4
fixed: v0.0.0-20200131131040-063a3fb69896
description: |
If any of the `ListenAndServe` functions are called with an empty token,
token authentication is disabled globally for all listeners.
Also, a minor timing side channel was present allowing attackers with
very low latency and able to make a lot of requests to potentially
recover the token.
published: 2021-04-14T12:00:00Z
credit: "@bouk"
symbols:
- Auth.ServerHTTP
- Auth.ListenAndServeTLS
- Auth.ListenAndServe
links:
pr: https://github.com/nanobox-io/golang-nanoauth/pull/5
commit: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
cve_metadata:
id: CVE-9999-0003
cwe: "CWE-305: Authentication Bypass by Primary Weakness"
description: |
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between
v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe
is called with an empty token.