CVE-2020-36569
CRITICALgolang-nanoauth - Authentication Bypass via Empty Token
Title source: llmDescription
Authentication is globally bypassed in github.com/nanobox-io/golang-nanoauth between v0.0.0-20160722212129-ac0cc4484ad4 and v0.0.0-20200131131040-063a3fb69896 if ListenAndServe is called with an empty token.
References (3)
Core 3
Core References
Patch, Third Party Advisory
https://github.com/nanobox-io/golang-nanoauth/commit/063a3fb69896acf985759f0fe3851f15973993f3
Third Party Advisory
https://github.com/nanobox-io/golang-nanoauth/pull/5
Third Party Advisory
https://pkg.go.dev/vuln/GO-2020-0004
Scores
CVSS v3
9.1
EPSS
0.0036
EPSS Percentile
58.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-287
Status
published
Products (2)
digitalocean/golang-nanoauth
2016-07-22 - 2020-01-31
nanobox-io/golang-nanoauth
0.0.0-20160722212129-ac0cc4484ad4 - 0.0.0-20200131131040-063a3fb69896Go
Published
Dec 27, 2022
Tracked Since
Feb 18, 2026