blob: 4f2e00f142d61746e9a697c89bf33a0c244c11cd [file] [log] [blame]
id: GO-2023-1268
modules:
- module: mellium.im/sasl
versions:
- fixed: 0.3.1
vulnerable_at: 0.3.0
packages:
- package: mellium.im/sasl
symbols:
- NewClient
- NewServer
summary: Authentication failure in mellium.im/sasl
description: |-
An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing
SCRAM-based SASL authentication, if the remote end advertises support for
channel binding, no random nonce is generated (instead, the nonce is empty).
This causes authentication to fail in the best case, but (if paired with a
remote end that does not validate the length of the nonce) could lead to
insufficient randomness being used during authentication.
cves:
- CVE-2022-48195
ghsas:
- GHSA-gvfj-fxx3-j323
references:
- advisory: https://mellium.im/cve/cve-2022-48195/
- fix: https://codeberg.org/mellium/sasl/commit/e6cbf681b247c4efa1477eaad2cc47a01707b732
review_status: REVIEWED