data/reports/GO-2020-0004.yaml

modules:
  - module: github.com/nanobox-io/golang-nanoauth
    versions:
      - introduced: 0.0.0-20160722212129-ac0cc4484ad4
        fixed: 0.0.0-20200131131040-063a3fb69896
    packages:
      - package: github.com/nanobox-io/golang-nanoauth
        symbols:
          - Auth.ServerHTTP
          - Auth.ListenAndServeTLS
          - Auth.ListenAndServe
        derived_symbols:
          - ListenAndServe
          - ListenAndServeTLS
description: |
    If any of the ListenAndServe functions are called with an empty token,
    token authentication is disabled globally for all listeners.

    Also, a minor timing side channel was present allowing attackers with
    very low latency and able to make a lot of requests to potentially
    recover the token.
published: 2021-04-14T20:04:52Z
credit: '@bouk'
references:
  - fix: https://github.com/nanobox-io/golang-nanoauth/pull/5
  - fix: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
cve_metadata:
    id: CVE-2020-36569
    cwe: 'CWE-305: Authentication Bypass by Primary Weakness'
    description: |
        Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between
        v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe
        is called with an empty token.