blob: 8854a8f32e2ac8aca35087198fe3436064daeafa [file] [log] [blame]
id: GO-2021-0107
modules:
- module: github.com/ecnepsnai/web
versions:
- introduced: 1.4.0
fixed: 1.5.2
vulnerable_at: 1.5.1
packages:
- package: github.com/ecnepsnai/web
symbols:
- Server.socketHandler
derived_symbols:
- Server.Socket
summary: Panic or authentication bypass in github.com/ecnepsnai/web
description: |-
Web Sockets do not execute any AuthenticateMethod methods which may be set,
leading to a nil pointer dereference if the returned UserData pointer is assumed
to be non-nil, or authentication bypass.
This issue only affects WebSockets with an AuthenticateMethod hook. Request
handlers that do not explicitly use WebSockets are not vulnerable.
published: 2021-07-28T18:08:05Z
ghsas:
- GHSA-5gjg-jgh4-gppm
- GHSA-jpgg-cp2x-qrw3
references:
- fix: https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
cve_metadata:
id: CVE-2021-4236
cwe: 'CWE-400: Uncontrolled Resource Consumption'