CVE-2020-36564
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Summary
Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| github.com/justinas/nosurf | github.com/justinas/nosurf | 0 < 1.1.1 | affected |
Weaknesses
- CWE 345: Insufficient Verification of Data Authenticity
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/justinas/nosurf/pull/60
- https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314
- https://pkg.go.dev/vuln/GO-2020-0049
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
- https://github.com/justinas/nosurf/pull/60
- https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314
- https://pkg.go.dev/vuln/GO-2020-0049
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.