CVE-2020-36569 – github.com/nanobox-io/golang-nanoauth

Package

Manager: go
Name: github.com/nanobox-io/golang-nanoauth
Vulnerable Version: >=0.0.0-20160722212129-ac0cc4484ad4 <0.0.0-20200131131040-063a3fb69896

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00065 pctl0.2056

Details

golang-nanoauth authentication bypass vulnerability Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.

Metadata

Created: 2022-12-28T00:30:23Z
Modified: 2023-01-10T15:49:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-hrm3-3xm6-x33h/GHSA-hrm3-3xm6-x33h.json
CWE IDs: ["CWE-287", "CWE-305"]
Alternative ID: GHSA-hrm3-3xm6-x33h
Finding: F006
Auto approve: 1