data/reports/GO-2023-1268.yaml - vulndb - Git at Google

 modules:
   - module: mellium.im/sasl
     versions:
       - fixed: 0.3.1
     vulnerable_at: 0.3.0
     packages:
       - package: mellium.im/sasl
         symbols:
           - NewClient
           - NewServer
 description: |-
     An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When
     performing SCRAM-based SASL authentication, if the remote end advertises support
     for channel binding, no random nonce is generated (instead, the nonce is empty).
     This causes authentication to fail in the best case, but (if paired with a remote
     end that does not validate the length of the nonce) could lead to insufficient
     randomness being used during authentication.
 cves:
   - CVE-2022-48195
 ghsas:
   - GHSA-gvfj-fxx3-j323
 references:
   - advisory: https://mellium.im/cve/cve-2022-48195/
   - fix: https://codeberg.org/mellium/sasl/commit/e6cbf681b247c4efa1477eaad2cc47a01707b732
	modules:
	- module: mellium.im/sasl
	versions:
	- fixed: 0.3.1
	vulnerable_at: 0.3.0
	packages:
	- package: mellium.im/sasl
	symbols:
	- NewClient
	- NewServer
	description: \|-
	An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When
	performing SCRAM-based SASL authentication, if the remote end advertises support
	for channel binding, no random nonce is generated (instead, the nonce is empty).
	This causes authentication to fail in the best case, but (if paired with a remote
	end that does not validate the length of the nonce) could lead to insufficient
	randomness being used during authentication.
	cves:
	- CVE-2022-48195
	ghsas:
	- GHSA-gvfj-fxx3-j323
	references:
	- advisory: https://mellium.im/cve/cve-2022-48195/
	- fix: https://codeberg.org/mellium/sasl/commit/e6cbf681b247c4efa1477eaad2cc47a01707b732