blob: 34f0509dc34af8607cb9959106ca60d9bf698fb8 [file] [log] [blame]
module = "github.com/nanobox-io/golang-nanoauth"
description = """
If any of the `ListenAndServe` functions are called with an empty token,
token authentication is disabled globally for all listeners.
Also, a minor timing side channel was present allowing attackers with
very low latency and able to make a lot of requests to potentially
recover the token.
"""
credit = "@bouk"
symbols = ["Auth.ServerHTTP", "Auth.ListenAndServeTLS", "Auth.ListenAndServe"]
published = "2021-04-14T12:00:00Z"
[[versions]]
introduced = "v0.0.0-20160722212129-ac0cc4484ad4"
fixed = "v0.0.0-20200131131040-063a3fb69896"
[links]
pr = "https://github.com/nanobox-io/golang-nanoauth/pull/5"
commit = "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3"
[cve_metadata]
id = "CVE-9999-0003"
description = """
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between
v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe
is called with an empty token.
"""
cwe = "CWE-305: Authentication Bypass by Primary Weakness"