Cryptographic Issues Affecting github.com/dinever/golf Open this link in a new tab package, versions <0.3.0
Attack Complexity
High
User Interaction
Required
Confidentiality
High
Integrity
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications-
snyk-id
SNYK-GOLANG-GITHUBCOMDINEVERGOLF-598768
-
published
17 Aug 2020
-
disclosed
25 Apr 2016
-
credit
elithrar
Introduced: 25 Apr 2016
CWE-310 Open this link in a new tabHow to fix?
Upgrade github.com/dinever/golf
to version 0.3.0 or higher.
Overview
Affected versions of this package are vulnerable to Cryptographic Issues. randomBytes
in xsrf.go
uses math.rand
to generate CSRF tokens. This is unsafe/insecure, and because it is seeded with time.UnixNano
, generates predictable results that would allow an attacker to bypass CSRF protection.