blob: f8349272c91e11c2c55c450ca6ceebfe4b9c08cd [file] [log] [blame]
id: GO-2020-0045
modules:
- module: github.com/dinever/golf
versions:
- fixed: 0.3.0
vulnerable_at: 0.2.0
packages:
- package: github.com/dinever/golf
symbols:
- randomBytes
derived_symbols:
- Context.Render
- Context.RenderFromString
summary: Cryptographically weak random number generation in github.com/dinever/golf
description: |-
CSRF tokens are generated using math/rand, which is not a cryptographically
secure random number generator, allowing an attacker to predict values and
bypass CSRF protections with relatively few requests.
published: 2021-04-14T20:04:52Z
ghsas:
- GHSA-q9qr-jwpw-3qvv
credits:
- '@elithrar'
references:
- fix: https://github.com/dinever/golf/pull/24
- fix: https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe
- report: https://github.com/dinever/golf/issues/20
cve_metadata:
id: CVE-2016-15005
cwe: 'CWE 338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)'
review_status: REVIEWED