| id: GO-2020-0004 |
| modules: |
| - module: github.com/nanobox-io/golang-nanoauth |
| versions: |
| - introduced: 0.0.0-20160722212129-ac0cc4484ad4 |
| - fixed: 0.0.0-20200131131040-063a3fb69896 |
| vulnerable_at: 0.0.0-20190311151057-c2ebbac481bb |
| packages: |
| - package: github.com/nanobox-io/golang-nanoauth |
| symbols: |
| - Auth.ServeHTTP |
| - Auth.ListenAndServeTLS |
| - Auth.ListenAndServe |
| derived_symbols: |
| - ListenAndServe |
| - ListenAndServeTLS |
| summary: Authentication bypass in github.com/nanobox-io/golang-nanoauth |
| description: |- |
| If any of the ListenAndServe functions are called with an empty token, token |
| authentication is disabled globally for all listeners. |
| |
| Also, a minor timing side channel was present allowing attackers with very low |
| latency and able to make many requests to potentially recover the token. |
| published: 2021-04-14T20:04:52Z |
| ghsas: |
| - GHSA-hrm3-3xm6-x33h |
| credits: |
| - '@bouk' |
| references: |
| - fix: https://github.com/nanobox-io/golang-nanoauth/pull/5 |
| - fix: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3 |
| cve_metadata: |
| id: CVE-2020-36569 |
| cwe: 'CWE-305: Authentication Bypass by Primary Weakness' |
| description: |- |
| Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth |
| between v0.0.0-20160722212129-ac0cc4484ad4 and |
| v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty |
| token. |
| review_status: REVIEWED |