CVE-2022-48195 – mellium.im/sasl

Package

Manager: go
Name: mellium.im/sasl
Vulnerable Version: >=0 <0.3.1

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00329 pctl0.55167

Details

mellium.im/sasl authentication failure due to insufficient nonce randomness An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated (instead, the nonce is empty). This causes authentication to fail in the best case, but (if paired with a remote end that does not validate the length of the nonce) could lead to insufficient randomness being used during authentication.

Metadata

Created: 2022-12-31T03:30:26Z
Modified: 2024-05-20T21:43:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-gvfj-fxx3-j323/GHSA-gvfj-fxx3-j323.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-gvfj-fxx3-j323
Finding: F006
Auto approve: 1