data/reports/GO-2020-0049.yaml - vulndb - Git at Google

 id: GO-2020-0049
 modules:
     - module: github.com/justinas/nosurf
       versions:
         - fixed: 1.1.1
       vulnerable_at: 1.1.0
       packages:
         - package: github.com/justinas/nosurf
           symbols:
             - VerifyToken
             - verifyToken
           derived_symbols:
             - CSRFHandler.ServeHTTP
 summary: Improper input validation in github.com/justinas/nosurf
 description: |-
     Due to improper validation of caller input, validation is silently disabled if
     the provided expected token is malformed, causing any user supplied token to be
     considered valid.
 published: 2021-04-14T20:04:52Z
 ghsas:
     - GHSA-5x84-q523-vvwr
 credits:
     - '@aeneasr'
 references:
     - fix: https://github.com/justinas/nosurf/pull/60
     - fix: https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314
 cve_metadata:
     id: CVE-2020-36564
     cwe: 'CWE 345: Insufficient Verification of Data Authenticity'
	id: GO-2020-0049
	modules:
	- module: github.com/justinas/nosurf
	versions:
	- fixed: 1.1.1
	vulnerable_at: 1.1.0
	packages:
	- package: github.com/justinas/nosurf
	symbols:
	- VerifyToken
	- verifyToken
	derived_symbols:
	- CSRFHandler.ServeHTTP
	summary: Improper input validation in github.com/justinas/nosurf
	description: \|-
	Due to improper validation of caller input, validation is silently disabled if
	the provided expected token is malformed, causing any user supplied token to be
	considered valid.
	published: 2021-04-14T20:04:52Z
	ghsas:
	- GHSA-5x84-q523-vvwr
	credits:
	- '@aeneasr'
	references:
	- fix: https://github.com/justinas/nosurf/pull/60
	- fix: https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314
	cve_metadata:
	id: CVE-2020-36564
	cwe: 'CWE 345: Insufficient Verification of Data Authenticity'