-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/vulndb: potential Go vuln in github.com/mojocn/base64Captcha: CVE-2023-45292 #2386
Comments
Is it because my report is not detailed enough or is it difficult to understand? |
Hello, thanks for your report. We are planning create an entry in the Go vulnerability database for this issue. It should be published today or tomorrow. |
Change https://go.dev/cl/548060 mentions this issue: |
Thank you very much for getting the CVE number so quickly. |
Aliases: CVE-2023-45292 Updates #2386 Change-Id: I3db92e9e5ca20f2abc7ede0bb52371f577cf70f9 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/548060 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This vulnerability is fixed in version 1.3.6 |
Change https://go.dev/cl/548755 mentions this issue: |
Adds fixed version and commit links provided by reporter. Aliases: CVE-2023-45292 Updates #2386 Change-Id: I8a7d08bd02bdbdfdb161f105a9324301a0e85396 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/548755 Auto-Submit: Tatiana Bradley <tatianabradley@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
Thanks again for your report. This has been published (including the fix you referenced) as GO-2023-2386 and CVE-2023-45292 |
Change https://go.dev/cl/549595 mentions this issue: |
Aliases: CVE-2023-45292, GHSA-5mmw-p5qv-w3x5 Updates #2386 Change-Id: I5d7e7d734d4f32339ff1bc23e078752f4122ab2f Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/549595 Run-TryBot: Tim King <taking@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Acknowledgement
Description
This is a Module that generates website Captcha. I found that some special values can bypass Captcha verification.
When using store.Verify() to verify whether the Captcha is correct, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to be correct.
Sample code:
Reproduction screenshot
(I blurred my name in the picture above.)
Affected Modules, Packages, Versions and Symbols
Module: github.com/mojocn/base64Captcha Package: github.com/mojocn/base64Captcha Versions: - Introduced: 1.3.5 Symbols: - store.Verify()
CVE/GHSA ID
No response
Fix Commit or Pull Request
No response
References
mojocn/base64Captcha#120
Additional information
I contacted the author via email and issue, but after 6 days there was still no feedback from the author.
The text was updated successfully, but these errors were encountered: