CVE-2016-15005: Cross-Site Request Forgery (CSRF)

December 28, 2022 (updated December 30, 2022)

CSRF tokens are generated using math/rand, which is not a cryptographically secure rander number generation, making predicting their values relatively trivial and allowing an attacker to bypass CSRF protections which relatively few requests.

References

github.com/advisories/GHSA-q9qr-jwpw-3qvv
github.com/dinever/golf/commit/3776f338be48b5bc5e8cf9faff7851fc52a3f1fe
github.com/dinever/golf/issues/20
github.com/dinever/golf/pull/24
nvd.nist.gov/vuln/detail/CVE-2016-15005
pkg.go.dev/vuln/GO-2020-0045

Detect and mitigate CVE-2016-15005 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →