| id: GO-2021-0107 |
| modules: |
| - module: github.com/ecnepsnai/web |
| versions: |
| - introduced: 1.4.0 |
| - fixed: 1.5.2 |
| vulnerable_at: 1.5.1 |
| packages: |
| - package: github.com/ecnepsnai/web |
| symbols: |
| - Server.socketHandler |
| derived_symbols: |
| - Server.Socket |
| summary: Panic or authentication bypass in github.com/ecnepsnai/web |
| description: |- |
| Web Sockets do not execute any AuthenticateMethod methods which may be set, |
| leading to a nil pointer dereference if the returned UserData pointer is assumed |
| to be non-nil, or authentication bypass. |
| |
| This issue only affects WebSockets with an AuthenticateMethod hook. Request |
| handlers that do not explicitly use WebSockets are not vulnerable. |
| published: 2021-07-28T18:08:05Z |
| ghsas: |
| - GHSA-5gjg-jgh4-gppm |
| - GHSA-jpgg-cp2x-qrw3 |
| references: |
| - fix: https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f |
| cve_metadata: |
| id: CVE-2021-4236 |
| cwe: 'CWE-400: Uncontrolled Resource Consumption' |
| review_status: REVIEWED |