Vulnerability Description
Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Web Project | Web | >= 1.4.0, < 1.5.2 |
Related Weaknesses (CWE)
References
- https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002fPatchThird Party Advisory
- https://pkg.go.dev/vuln/GO-2021-0107ExploitPatchThird Party Advisory
- https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002fPatchThird Party Advisory
- https://pkg.go.dev/vuln/GO-2021-0107ExploitPatchThird Party Advisory
FAQ
What is CVE-2021-4236?
CVE-2021-4236 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. Th...
How severe is CVE-2021-4236?
CVE-2021-4236 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-4236?
Check the references section above for vendor advisories and patch information. Affected products include: Web Project Web.