CVE-2021-4236

Опубликовано: 27 дек. 2022

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable.

Ссылки

https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
Patch
Third Party Advisory
https://pkg.go.dev/vuln/GO-2021-0107
Exploit
Patch
Third Party Advisory
https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f
Patch
Third Party Advisory
https://pkg.go.dev/vuln/GO-2021-0107
Exploit
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:web_project:web:*:*:*:*:*:go:*:*

Версия от 1.4.0 (включая) до 1.5.2 (исключая)

EPSS

Процентиль: 63%

0.00454

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-476

Связанные уязвимости

GHSA-5gjg-jgh4-gppm