golang-nanoauth authentication bypass vulnerability
Critical severity
GitHub Reviewed
Published
Dec 28, 2022
to the GitHub Advisory Database
•
Updated Feb 3, 2023
Package
Affected versions
>= 0.0.0-20160722212129-ac0cc4484ad4, < 0.0.0-20200131131040-063a3fb69896
Patched versions
0.0.0-20200131131040-063a3fb69896
Description
Published by the National Vulnerability Database
Dec 27, 2022
Published to the GitHub Advisory Database
Dec 28, 2022
Reviewed
Dec 30, 2022
Last updated
Feb 3, 2023
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.
References