{"id":"GHSA-hrm3-3xm6-x33h","summary":"golang-nanoauth authentication bypass vulnerability","details":"Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.","aliases":["CVE-2020-36569","GO-2020-0004"],"modified":"2023-11-08T04:03:47.973414Z","published":"2022-12-28T00:30:23Z","database_specific":{"severity":"CRITICAL","github_reviewed":true,"github_reviewed_at":"2022-12-30T18:54:51Z","cwe_ids":["CWE-287","CWE-305"],"nvd_published_at":"2022-12-27T22:15:00Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2020-36569"},{"type":"WEB","url":"https://github.com/nanobox-io/golang-nanoauth/pull/5"},{"type":"WEB","url":"https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3"},{"type":"PACKAGE","url":"https://github.com/nanobox-io/golang-nanoauth"},{"type":"WEB","url":"https://pkg.go.dev/vuln/GO-2020-0004"}],"affected":[{"package":{"name":"github.com/nanobox-io/golang-nanoauth","ecosystem":"Go","purl":"pkg:golang/github.com/nanobox-io/golang-nanoauth"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.0.0-20160722212129-ac0cc4484ad4"},{"fixed":"0.0.0-20200131131040-063a3fb69896"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-hrm3-3xm6-x33h/GHSA-hrm3-3xm6-x33h.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}]}