N/A

An issue was discovered in Mellium mellium.im/sasl before 0.3.1. When performing SCRAM-based SASL authentication, if the remote end advertises support for channel binding, no random nonce is generated (instead, the nonce is empty). This causes authentication to fail in the best case, but (if paired with a remote end that does not validate the length of the nonce) could lead to insufficient randomness being used during authentication.

N/A

N/A

Mellium 授权问题漏洞

Mellium是提供来自可扩展消息传递和存在协议的功能。 Mellium v0.3.0之前版本存在安全漏洞，该漏洞源于在执行基于 SCRAM 的 SASL 身份验证时，如果远程端通告支持通道绑定，则不会生成随机随机数，这会导致身份验证在最好的情况下失败，但是如果与不验证 nonce 长度的远程端配对，可能会导致在身份验证期间使用的随机性不足。

N/A

N/A