Miggo Logo
Miggo Vulnerability Database
CVE-2020-36569

CVE-2020-36569: golang-nanoauth authentication bypass vulnerability

9.1

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-36569
GHSA ID
GHSA-hrm3-3xm6-x33h
EPSS Score
0.23262%
CWE
CWE-287
Published
12/28/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/nanobox-io/golang-nanoauthgo>= 0.0.0-20160722212129-ac0cc4484ad4, < 0.0.0-20200131131040-063a3fb698960.0.0-20200131131040-063a3fb69896

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key issues: 1) Global 'check' variable that could disable authentication when empty token was passed to Listen* functions 2) Missing validation for empty tokens in server initialization. The pre-patch code in both ListenAndServe and ListenAndServeTLS would set check=false when token was empty, bypassing authentication checks in ServeHTTP. The patch added mandatory token validation (errors.New if empty) and removed the global 'check' variable, confirming these functions were the entry points for the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ut**nti**tion is *lo**lly *yp*ss** in *it*u*.*om/n*no*ox-io/*ol*n*-n*no*ut* **tw**n v*.*.*-**************-************ *n* v*.*.*-**************-************ i* List*n*n*S*rv* is **ll** wit* *n *mpty tok*n.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) *lo**l '****k' v*ri**l* t**t *oul* *is**l* *ut**nti**tion w**n *mpty tok*n w*s p*ss** to `List*n*` *un*tions *) Missin* `v*li**tion` *or *mpty tok*ns in s*rv*r initi*liz*tion. T** pr*-p*t** *o** in *o