Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-36569: GO-2020-0004 - Go Packages

Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.

CVE
#vulnerability#git#oauth#auth
  1. Vulnerability Database
  2. All Reports
  3. GO-2020-0004

Vulnerability Report: GO-2020-0004

If any of the ListenAndServe functions are called with an empty token, token authentication is disabled globally for all listeners. Also, a minor timing side channel was present allowing attackers with very low latency and able to make a lot of requests to potentially recover the token.

Affected Packages

  • Path

    Versions

    Symbols

  • from v0.0.0-20160722212129-ac0cc4484ad4 before v0.0.0-20200131131040-063a3fb69896

Aliases****References****Credits

  • @bouk

Feedback

Related news

GHSA-hrm3-3xm6-x33h: golang-nanoauth authentication bypass vulnerability

Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907