Headline
CVE-2020-36569: GO-2020-0004 - Go Packages
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.
- Vulnerability Database
- All Reports
- GO-2020-0004
Vulnerability Report: GO-2020-0004
If any of the ListenAndServe functions are called with an empty token, token authentication is disabled globally for all listeners. Also, a minor timing side channel was present allowing attackers with very low latency and able to make a lot of requests to potentially recover the token.
Affected Packages
Path
Versions
Symbols
from v0.0.0-20160722212129-ac0cc4484ad4 before v0.0.0-20200131131040-063a3fb69896
Aliases****References****Credits
- @bouk
Feedback
Related news
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.