{"id":"GO-2021-0107","summary":"Panic or authentication bypass in github.com/ecnepsnai/web","details":"Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass.\n\nThis issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.","aliases":["CVE-2021-4236","GHSA-5gjg-jgh4-gppm","GHSA-jpgg-cp2x-qrw3"],"modified":"2024-05-20T16:03:47Z","published":"2021-07-28T18:08:05Z","database_specific":{"url":"https://pkg.go.dev/vuln/GO-2021-0107","review_status":"REVIEWED"},"references":[{"type":"FIX","url":"https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f"}],"affected":[{"package":{"name":"github.com/ecnepsnai/web","ecosystem":"Go","purl":"pkg:golang/github.com/ecnepsnai/web"},"ranges":[{"type":"SEMVER","events":[{"introduced":"1.4.0"},{"fixed":"1.5.2"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/ecnepsnai/web","symbols":["Server.Socket","Server.socketHandler"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2021-0107.json"}}],"schema_version":"1.7.3"}