CVE-2020-36569

Name of the Vulnerable Software and Affected Versions: golang-nanoauth versions v0.0.0-20160722212129-ac0cc4484ad4 through v0.0.0-20200131131040-063a3fb69896

Description: The issue concerns a global bypass of authentication in the golang-nanoauth library. When the ListenAndServe function is called with an empty token, token authentication is disabled globally for all listeners. Additionally, a minor timing side channel is present, which could allow attackers with low latency and the ability to make many requests to potentially recover the token.

Recommendations: For golang-nanoauth versions v0.0.0-20160722212129-ac0cc4484ad4 through v0.0.0-20200131131040-063a3fb69896, consider disabling the ListenAndServe function when an empty token is provided until a patch is available. Restrict access to the ListenAndServe function to minimize the risk of exploitation. Avoid calling ListenAndServe with an empty token in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.