Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01eDg0LXE1MjMtdnZ3cs4AAwoU
nosurf vulnerable to improper input validation
Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.
Permalink: https://github.com/advisories/GHSA-5x84-q523-vvwrJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01eDg0LXE1MjMtdnZ3cs4AAwoU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-5x84-q523-vvwr, CVE-2020-36564
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-36564
- https://github.com/justinas/nosurf/pull/60
- https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314
- https://pkg.go.dev/vuln/GO-2020-0049
- https://github.com/advisories/GHSA-5x84-q523-vvwr
Blast Radius: 21.1
Affected Packages
go:github.com/justinas/nosurf
Dependent packages: 382Dependent repositories: 657
Downloads:
Affected Version Ranges: < 1.1.1
Fixed in: 1.1.1
All affected versions: 1.0.0, 1.1.0
All unaffected versions: 1.1.1