Vulnerability Details CVE-2020-36569
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 23.3%
CVSS Severity
CVSS v3 Score 9.1
References
- https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
- https://github.com/nanobox-io/golang-nanoauth/pull/5
- https://pkg.go.dev/vuln/GO-2020-0004
- https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
- https://github.com/nanobox-io/golang-nanoauth/pull/5
- https://pkg.go.dev/vuln/GO-2020-0004
Products affected by CVE-2020-36569
-
cpe:2.3:a:digitalocean:golang-nanoauth:2016-07-22
-
cpe:2.3:a:digitalocean:golang-nanoauth:2016-07-25
-
cpe:2.3:a:digitalocean:golang-nanoauth:2016-08-22
-
cpe:2.3:a:digitalocean:golang-nanoauth:2016-10-26
-
cpe:2.3:a:digitalocean:golang-nanoauth:2019-03-11
-
cpe:2.3:a:digitalocean:golang-nanoauth:2019-03-18
-
cpe:2.3:a:digitalocean:golang-nanoauth:2020-01-31