GHSA-f28g-86hc-823q

Source

https://github.com/advisories/GHSA-f28g-86hc-823q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-f28g-86hc-823q/GHSA-f28g-86hc-823q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f28g-86hc-823q

Aliases

GO-2023-1914

Published

2023-07-13T19:56:19Z

Modified

2024-05-20T21:54:03Z

Summary

Tokenizer vulnerable to client brute-force of token secrets

Details

Impact

Authorized clients, having an inject_processor secret, could brute-force the secret token value by abusing the fmt parameter to the Proxy-Tokenizer header.

Patches

This was fixed in https://github.com/superfly/tokenizer/pull/8 and further mitigated in https://github.com/superfly/tokenizer/pull/9.

Database specific

{
    "cwe_ids": [],
    "github_reviewed_at": "2023-07-13T19:56:19Z",
    "nvd_published_at": null,
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

Go / github.com/superfly/tokenizer

Package

Name: github.com/superfly/tokenizer; View open source insights on deps.dev
Purl: pkg:golang/github.com/superfly/tokenizer

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-f28g-86hc-823q/GHSA-f28g-86hc-823q.json"