data/reports/GO-2020-0004.yaml - vulndb - Git at Google

 id: GO-2020-0004
 modules:
     - module: github.com/nanobox-io/golang-nanoauth
       versions:
         - introduced: 0.0.0-20160722212129-ac0cc4484ad4
           fixed: 0.0.0-20200131131040-063a3fb69896
       vulnerable_at: 0.0.0-20190311151057-c2ebbac481bb
       packages:
         - package: github.com/nanobox-io/golang-nanoauth
           symbols:
             - Auth.ServeHTTP
             - Auth.ListenAndServeTLS
             - Auth.ListenAndServe
           derived_symbols:
             - ListenAndServe
             - ListenAndServeTLS
 summary: Authentication bypass in github.com/nanobox-io/golang-nanoauth
 description: |-
     If any of the ListenAndServe functions are called with an empty token, token
     authentication is disabled globally for all listeners.

     Also, a minor timing side channel was present allowing attackers with very low
     latency and able to make many requests to potentially recover the token.
 published: 2021-04-14T20:04:52Z
 ghsas:
     - GHSA-hrm3-3xm6-x33h
 credits:
     - '@bouk'
 references:
     - fix: https://github.com/nanobox-io/golang-nanoauth/pull/5
     - fix: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
 cve_metadata:
     id: CVE-2020-36569
     cwe: 'CWE-305: Authentication Bypass by Primary Weakness'
     description: |-
         Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth
         between v0.0.0-20160722212129-ac0cc4484ad4 and
         v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty
         token.
	id: GO-2020-0004
	modules:
	- module: github.com/nanobox-io/golang-nanoauth
	versions:
	- introduced: 0.0.0-20160722212129-ac0cc4484ad4
	fixed: 0.0.0-20200131131040-063a3fb69896
	vulnerable_at: 0.0.0-20190311151057-c2ebbac481bb
	packages:
	- package: github.com/nanobox-io/golang-nanoauth
	symbols:
	- Auth.ServeHTTP
	- Auth.ListenAndServeTLS
	- Auth.ListenAndServe
	derived_symbols:
	- ListenAndServe
	- ListenAndServeTLS
	summary: Authentication bypass in github.com/nanobox-io/golang-nanoauth
	description: \|-
	If any of the ListenAndServe functions are called with an empty token, token
	authentication is disabled globally for all listeners.

	Also, a minor timing side channel was present allowing attackers with very low
	latency and able to make many requests to potentially recover the token.
	published: 2021-04-14T20:04:52Z
	ghsas:
	- GHSA-hrm3-3xm6-x33h
	credits:
	- '@bouk'
	references:
	- fix: https://github.com/nanobox-io/golang-nanoauth/pull/5
	- fix: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
	cve_metadata:
	id: CVE-2020-36569
	cwe: 'CWE-305: Authentication Bypass by Primary Weakness'
	description: \|-
	Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth
	between v0.0.0-20160722212129-ac0cc4484ad4 and
	v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty
	token.