Vulnerabilites related to github.com/justinas/nosurf - github.com/justinas/nosurf
CVE-2020-36564 (GCVE-0-2020-36564)
Vulnerability from cvelistv5
Published
2022-12-27 21:13
Modified
2025-04-11 16:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE 345: Insufficient Verification of Data Authenticity
Summary
Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| github.com/justinas/nosurf | github.com/justinas/nosurf |
Version: 0 ≤ |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:30:08.463Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://github.com/justinas/nosurf/pull/60"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314"
},
{
"tags": [
"x_transferred"
],
"url": "https://pkg.go.dev/vuln/GO-2020-0049"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-11T16:25:49.012598Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-11T16:26:19.344Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "github.com/justinas/nosurf",
"product": "github.com/justinas/nosurf",
"programRoutines": [
{
"name": "VerifyToken"
},
{
"name": "verifyToken"
},
{
"name": "CSRFHandler.ServeHTTP"
}
],
"vendor": "github.com/justinas/nosurf",
"versions": [
{
"lessThan": "1.1.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "@aeneasr"
}
],
"descriptions": [
{
"lang": "en",
"value": "Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE 345: Insufficient Verification of Data Authenticity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-06-12T19:04:04.728Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://github.com/justinas/nosurf/pull/60"
},
{
"url": "https://github.com/justinas/nosurf/commit/4d86df7a4affa1fa50ab39fb09aac56c3ce9c314"
},
{
"url": "https://pkg.go.dev/vuln/GO-2020-0049"
}
],
"title": "Improper input validation in github.com/justinas/nosurf"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2020-36564",
"datePublished": "2022-12-27T21:13:31.590Z",
"dateReserved": "2022-07-29T18:39:05.265Z",
"dateUpdated": "2025-04-11T16:26:19.344Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}