Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ocm0zLTN4bTYteDMzaM4AAwoO
golang-nanoauth authentication bypass vulnerability
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.
Permalink: https://github.com/advisories/GHSA-hrm3-3xm6-x33hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocm0zLTN4bTYteDMzaM4AAwoO
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 9 months ago
Updated: 8 months ago
CVSS Score: 9.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Identifiers: GHSA-hrm3-3xm6-x33h, CVE-2020-36569
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-36569
- https://github.com/nanobox-io/golang-nanoauth/pull/5
- https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
- https://pkg.go.dev/vuln/GO-2020-0004
- https://github.com/advisories/GHSA-hrm3-3xm6-x33h
Affected Packages
go:github.com/nanobox-io/golang-nanoauth
Versions: >= 0.0.0-20160722212129-ac0cc4484ad4, < 0.0.0-20200131131040-063a3fb69896Fixed in: 0.0.0-20200131131040-063a3fb69896