CVE-2020-36564
Improper input validation in github.com/justinas/nosurf
7.5
HIGH
CVSS 3.1
EPSS 0.31%
Description
Due to improper validation of caller input, validation is silently disabled if the provided expected token is malformed, causing any user supplied token to be considered valid.
How to fix CVE-2020-36564
To remediate CVE-2020-36564, upgrade the affected package to a fixed version below.
- Go/github.com/justinas/nosurf—upgrade to 1.1.1 or later
- —upgrade to 1.1.1 or later
Is CVE-2020-36564 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.1.1
- from 0, < 1.1.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |