Description
CSRF tokens are generated using math/rand, which is not a cryptographically secure random number generator, allowing an attacker to predict values and bypass CSRF protections with relatively few requests.
References (4)
Core 4
Core References
Patch, Third Party Advisory
https://github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe
Issue Tracking, Third Party Advisory
https://github.com/dinever/golf/issues/20
Patch, Third Party Advisory
https://github.com/dinever/golf/pull/24
Third Party Advisory
https://pkg.go.dev/vuln/GO-2020-0045
Scores
CVSS v3
8.8
EPSS
0.0038
EPSS Percentile
30.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-352
Status
published
Products (2)
dinever/golf
0 - 0.3.0Go
golf_project/golf
< 0.3.0
Published
Dec 27, 2022
Tracked Since
Feb 18, 2026