зеркало из https://github.com/golang/vulndb.git
28 строки
1.1 KiB
YAML
28 строки
1.1 KiB
YAML
module: github.com/nanobox-io/golang-nanoauth
|
|
versions:
|
|
- introduced: v0.0.0-20160722212129-ac0cc4484ad4
|
|
fixed: v0.0.0-20200131131040-063a3fb69896
|
|
description: |
|
|
If any of the `ListenAndServe` functions are called with an empty token,
|
|
token authentication is disabled globally for all listeners.
|
|
|
|
Also, a minor timing side channel was present allowing attackers with
|
|
very low latency and able to make a lot of requests to potentially
|
|
recover the token.
|
|
published: 2021-04-14T12:00:00Z
|
|
credit: "@bouk"
|
|
symbols:
|
|
- Auth.ServerHTTP
|
|
- Auth.ListenAndServeTLS
|
|
- Auth.ListenAndServe
|
|
links:
|
|
pr: https://github.com/nanobox-io/golang-nanoauth/pull/5
|
|
commit: https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
|
|
cve_metadata:
|
|
id: CVE-9999-0003
|
|
cwe: "CWE-305: Authentication Bypass by Primary Weakness"
|
|
description: |
|
|
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between
|
|
v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe
|
|
is called with an empty token.
|