Vulnerability Description
Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.
CVSS Score
7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nosurf Project | Nosurf | < 1.1.1 |
Related Weaknesses (CWE)
References
- https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c3PatchThird Party Advisory
- https://github.com/justinas/nosurf/pull/60PatchThird Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0049Third Party Advisory
- https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c3PatchThird Party Advisory
- https://github.com/justinas/nosurf/pull/60PatchThird Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0049Third Party Advisory
FAQ
What is CVE-2020-36564?
CVE-2020-36564 is a vulnerability with a CVSS score of 7.5 (HIGH). Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.
How severe is CVE-2020-36564?
CVE-2020-36564 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-36564?
Check the references section above for vendor advisories and patch information. Affected products include: Nosurf Project Nosurf.