data/reports/GO-2023-1268.yaml - vulndb - Git at Google

 id: GO-2023-1268
 modules:
     - module: mellium.im/sasl
       versions:
         - fixed: 0.3.1
       vulnerable_at: 0.3.0
       packages:
         - package: mellium.im/sasl
           symbols:
             - NewClient
             - NewServer
 summary: Authentication failure in mellium.im/sasl
 description: |-
     An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing
     SCRAM-based SASL authentication, if the remote end advertises support for
     channel binding, no random nonce is generated (instead, the nonce is empty).
     This causes authentication to fail in the best case, but (if paired with a
     remote end that does not validate the length of the nonce) could lead to
     insufficient randomness being used during authentication.
 cves:
     - CVE-2022-48195
 ghsas:
     - GHSA-gvfj-fxx3-j323
 references:
     - advisory: https://mellium.im/cve/cve-2022-48195/
     - fix: https://codeberg.org/mellium/sasl/commit/e6cbf681b247c4efa1477eaad2cc47a01707b732
	id: GO-2023-1268
	modules:
	- module: mellium.im/sasl
	versions:
	- fixed: 0.3.1
	vulnerable_at: 0.3.0
	packages:
	- package: mellium.im/sasl
	symbols:
	- NewClient
	- NewServer
	summary: Authentication failure in mellium.im/sasl
	description: \|-
	An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing
	SCRAM-based SASL authentication, if the remote end advertises support for
	channel binding, no random nonce is generated (instead, the nonce is empty).
	This causes authentication to fail in the best case, but (if paired with a
	remote end that does not validate the length of the nonce) could lead to
	insufficient randomness being used during authentication.
	cves:
	- CVE-2022-48195
	ghsas:
	- GHSA-gvfj-fxx3-j323
	references:
	- advisory: https://mellium.im/cve/cve-2022-48195/
	- fix: https://codeberg.org/mellium/sasl/commit/e6cbf681b247c4efa1477eaad2cc47a01707b732