blob: b742bce570b86fa1596bcdf95f063536b7459e3e [file] [log] [blame]
id: GO-2020-0004
modules:
- module: github.com/nanobox-io/golang-nanoauth
versions:
- introduced: 0.0.0-20160722212129-ac0cc4484ad4
- fixed: 0.0.0-20200131131040-063a3fb69896
vulnerable_at: 0.0.0-20190311151057-c2ebbac481bb
packages:
- package: github.com/nanobox-io/golang-nanoauth
symbols:
- Auth.ServeHTTP
- Auth.ListenAndServeTLS
- Auth.ListenAndServe
derived_symbols:
- ListenAndServe
- ListenAndServeTLS
summary: Authentication bypass in github.com/nanobox-io/golang-nanoauth
description: |-
If any of the ListenAndServe functions are called with an empty token, token
authentication is disabled globally for all listeners.
Also, a minor timing side channel was present allowing attackers with very low
latency and able to make many requests to potentially recover the token.
published: 2021-04-14T20:04:52Z
ghsas:
- GHSA-hrm3-3xm6-x33h
credits:
- '@bouk'
references:
- fix: https://github.com/nanobox-io/golang-nanoauth/pull/5
- fix: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
cve_metadata:
id: CVE-2020-36569
cwe: 'CWE-305: Authentication Bypass by Primary Weakness'
description: |-
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth
between v0.0.0-20160722212129-ac0cc4484ad4 and
v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty
token.
review_status: REVIEWED