Vulnerability Report: GO-2023-1268

CVE-2022-48195, GHSA-gvfj-fxx3-j323
Affects: mellium.im/sasl
Published: Jan 18, 2023
Modified: Jun 12, 2023

An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated (instead, the nonce is empty). This causes authentication to fail in the best case, but (if paired with a remote end that does not validate the length of the nonce) could lead to insufficient randomness being used during authentication.

For detailed information about this vulnerability, visit https://mellium.im/cve/cve-2022-48195/.

Affected Packages

Path

Versions

Symbols
mellium.im/sasl

before v0.3.1
- NewClient
- NewServer

Aliases

CVE-2022-48195
GHSA-gvfj-fxx3-j323

References

https://mellium.im/cve/cve-2022-48195/
https://codeberg.org/mellium/sasl/commit/e6cbf681b247c4efa1477eaad2cc47a01707b732
https://vuln.go.dev/ID/GO-2023-1268.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL