{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2021-4236", "assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "state": "PUBLISHED", "assignerShortName": "Go", "dateReserved": "2022-07-29T19:01:04.923Z", "datePublished": "2022-12-27T21:13:45.711Z", "dateUpdated": "2023-06-12T19:04:11.139Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc", "shortName": "Go", "dateUpdated": "2023-06-12T19:04:11.139Z"}, "title": "Panic or authentication bypass in github.com/ecnepsnai/web", "descriptions": [{"lang": "en", "value": "Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable."}], "affected": [{"vendor": "github.com/ecnepsnai/web", "product": "github.com/ecnepsnai/web", "collectionURL": "https://pkg.go.dev", "packageName": "github.com/ecnepsnai/web", "versions": [{"version": "1.4.0", "lessThan": "1.5.2", "status": "affected", "versionType": "semver"}], "programRoutines": [{"name": "Server.socketHandler"}, {"name": "Server.Socket"}], "defaultStatus": "unaffected"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption"}]}], "references": [{"url": "https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f"}, {"url": "https://pkg.go.dev/vuln/GO-2021-0107"}]}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:web_project:web:*:*:*:*:*:go:*:*", "matchCriteriaId": "4F957C53-3F68-4128-B6FA-7685D4949E2B", "versionEndExcluding": "1.5.2", "versionStartIncluding": "1.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Web Sockets do not execute any AuthenticateMethod methods which may be set, leading to a nil pointer dereference if the returned UserData pointer is assumed to be non-nil, or authentication bypass. This issue only affects WebSockets with an AuthenticateMethod hook. Request handlers that do not explicitly use WebSockets are not vulnerable."}, {"lang": "es", "value": "Web Sockets no ejecuta ning\u00fan m\u00e9todo AuthenticateMethod que pueda configurarse, lo que lleva a una desreferencia del puntero null si se supone que el puntero UserData devuelto no es null, o a una omisi\u00f3n de autenticaci\u00f3n. Este problema solo afecta a WebSockets con un enlace AuthenticateMethod. Los controladores de solicitudes que no utilizan WebSockets expl\u00edcitamente no son vulnerables."}], "id": "CVE-2021-4236", "lastModified": "2023-11-07T03:40:24.920", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-12-27T22:15:12.013", "references": [{"source": "security@golang.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ecnepsnai/web/commit/5a78f8d5c41ce60dcf9f61aaf47a7a8dc3e0002f"}, {"source": "security@golang.org", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://pkg.go.dev/vuln/GO-2021-0107"}], "sourceIdentifier": "security@golang.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}