CVE-2020-36569 - Vulnerability Details - OpenCVE

Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Digitalocean	Golang-nanoauth

Configuration 1 [-]

cpe:2.3:a:digitalocean:golang-nanoauth:*:*:*:*:*:go:*:*

No data.

References

Link	Providers
https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
https://github.com/nanobox-io/golang-nanoauth/pull/5
https://pkg.go.dev/vuln/GO-2020-0004

History

No history.

MITRE

Status: PUBLISHED

Assigner: Go

Published: 2022-12-27T21:12:58.427Z

Updated: 2024-08-04T17:30:08.318Z

Reserved: 2022-07-29T19:15:54.024Z

Link: CVE-2020-36569

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-12-27T22:15:11.857

Modified: 2024-11-21T05:29:51.547

Link: CVE-2020-36569

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2020-36569", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-07-29T19:15:54.024Z", "datePublished": "2022-12-27T21:12:58.427Z", "dateUpdated": "2024-08-04T17:30:08.318Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:03:21.447Z"}, "title": "Authentication bypass in github.com/nanobox-io/golang-nanoauth", "descriptions": [{"lang": "en", "value": "Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token."}], "affected": [{"vendor": "github.com/nanobox-io/golang-nanoauth", "product": "github.com/nanobox-io/golang-nanoauth", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/nanobox-io/golang-nanoauth", "versions": [{"version": "0.0.0-20160722212129-ac0cc4484ad4", "lessThan": "0.0.0-20200131131040-063a3fb69896", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "Auth.ServeHTTP"}, {"name": "Auth.ListenAndServeTLS"}, {"name": "Auth.ListenAndServe"}, {"name": "ListenAndServe"}, {"name": "ListenAndServeTLS"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-305: Authentication Bypass by Primary Weakness"}]}], "references": [{"url": "https://github.com/nanobox-io/golang-nanoauth/pull/5"}, {"url": "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3"}, {"url": "https://pkg.go.dev/vuln/GO-2020-0004"}], "credits": [{"lang": "en", "value": "@bouk"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T17:30:08.318Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/nanobox-io/golang-nanoauth/pull/5", "tags": ["x_transferred"]}, {"url": "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3", "tags": ["x_transferred"]}, {"url": "https://pkg.go.dev/vuln/GO-2020-0004", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:digitalocean:golang-nanoauth:*:*:*:*:*:go:*:*", "matchCriteriaId": "0BACD8D2-E5B2-4784-AA4D-08EC229199FF", "versionEndIncluding": "2020-01-31", "versionStartIncluding": "2016-07-22", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token."}, {"lang": "es", "value": "La autenticaci\u00f3n se omite globalmente en github.com/nanobox-io/golang-nanoauth entre v0.0.0-20160722212129-ac0cc4484ad4 y v0.0.0-20200131131040-063a3fb69896 si se llama a ListenAndServe con un token vac\u00edo."}], "id": "CVE-2020-36569", "lastModified": "2024-11-21T05:29:51.547", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-27T22:15:11.857", "references": [{"source": "security@golang.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://github.com/nanobox-io/golang-nanoauth/pull/5"}, {"source": "security@golang.org", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/vuln/GO-2020-0004"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/nanobox-io/golang-nanoauth/pull/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://pkg.go.dev/vuln/GO-2020-0004"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}