GO-2023-1268

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2023-1268

Import Source

https://vuln.go.dev/ID/GO-2023-1268.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2023-1268

Aliases

CVE-2022-48195
GHSA-gvfj-fxx3-j323

Published

2023-01-18T18:06:45Z

Modified

2024-05-20T16:03:47Z

Summary

Authentication failure in mellium.im/sasl

Details

An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated (instead, the nonce is empty). This causes authentication to fail in the best case, but (if paired with a remote end that does not validate the length of the nonce) could lead to insufficient randomness being used during authentication.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2023-1268"
}

References

Affected packages

Go / mellium.im/sasl

Package

Name: mellium.im/sasl; View open source insights on deps.dev
Purl: pkg:golang/mellium.im/sasl

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.3.1

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "NewClient",
                "NewServer"
            ],
            "path": "mellium.im/sasl"
        }
    ]
}