Vulnerability Description
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Digitalocean | Golang-Nanoauth | >= 2016-07-22, <= 2020-01-31 |
Related Weaknesses (CWE)
References
- https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe38PatchThird Party Advisory
- https://github.com/nanobox-io/golang-nanoauth/pull/5Third Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0004Third Party Advisory
- https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe38PatchThird Party Advisory
- https://github.com/nanobox-io/golang-nanoauth/pull/5Third Party Advisory
- https://pkg.go.dev/vuln/GO-2020-0004Third Party Advisory
FAQ
What is CVE-2020-36569?
CVE-2020-36569 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty...
How severe is CVE-2020-36569?
CVE-2020-36569 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2020-36569?
Check the references section above for vendor advisories and patch information. Affected products include: Digitalocean Golang-Nanoauth.