| package = "github.com/nanobox-io/golang-nanoauth" |
| |
| description = """ |
| If any of the `ListenAndServe` functions are called with an empty token, |
| token authentication is disabled globally for all listeners. |
| |
| Also, a minor timing side channel was present allowing attackers with |
| very low latency and able to make a lot of requests to potentially |
| recover the token. |
| """ |
| |
| credit = "@bouk" |
| |
| symbols = ["Auth.ServerHTTP", "Auth.ListenAndServeTLS", "Auth.ListenAndServe"] |
| |
| [[versions]] |
| introduced = "v0.0.0-20160722212129-ac0cc4484ad4" |
| fixed = "v0.0.0-20200131131040-063a3fb69896" |
| |
| [links] |
| pr = "https://github.com/nanobox-io/golang-nanoauth/pull/5" |
| commit = "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3" |
| |
| [cve_metadata] |
| id = "CVE-XXXX-0003" |
| description = """ |
| Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between |
| v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe |
| is called with an empty token. |
| """ |
| cwe = "CWE-305: Authentication Bypass by Primary Weakness" |
