| modules: |
| - module: github.com/dinever/golf |
| versions: |
| - fixed: 0.3.0 |
| packages: |
| - package: github.com/dinever/golf |
| symbols: |
| - randomBytes |
| derived_symbols: |
| - Context.Render |
| - Context.RenderFromString |
| description: | |
| CSRF tokens are generated using math/rand, which is not a cryptographically secure |
| rander number generation, making predicting their values relatively trivial and |
| allowing an attacker to bypass CSRF protections which relatively few requests. |
| published: 2021-04-14T20:04:52Z |
| credit: '@elithrar' |
| references: |
| - fix: https://github.com/dinever/golf/pull/24 |
| - fix: https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe |
| - web: https://github.com/dinever/golf/issues/20 |
| cve_metadata: |
| id: CVE-2016-15005 |
| cwe: 'CWE 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)' |