High severityNVD Advisory· Published Mar 26, 2021· Updated Aug 3, 2024
Authentication Bypass by Primary Weakness in github.com/kongchuanhujiao/server
CVE-2021-21403
Description
In github.com/kongchuanhujiao/server before version 1.3.21 there is an authentication Bypass by Primary Weakness vulnerability. All users are impacted. This is fixed in version 1.3.21.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/kongchuanhujiao/serverGo | < 1.3.21 | 1.3.21 |
Affected products
1- Range: < 1.3.21
Patches
13 files changed · +34 −27
internal/app/datahub/pkg/account/memory.go+32 −8 modified@@ -1,15 +1,39 @@ package account -import "github.com/kongchuanhujiao/server/internal/app/datahub/internal/memory" +import ( + "math/rand" + "strconv" + "time" -func GetCode(id string) string { - return memory.Code[id] -} + "github.com/kongchuanhujiao/server/internal/app/datahub/internal/memory" +) + +// GenerateCode 写入验证码返回一个验证码 +func GenerateCode(id string) (c string) { + + rand.Seed(time.Now().UnixNano()) + c = strconv.FormatFloat(rand.Float64(), 'f', -1, 64)[2:6] -func WriteCode(id string, code string) { - memory.Code[id] = code + memory.Code[id] = c + + go func() { + timer := time.NewTimer(5 * time.Minute) + defer timer.Stop() + <-timer.C + deleteCode(id) + }() + + return } -func DeleteCode(id string) { - delete(memory.Code, id) +// VerifyCode 验证验证码 +func VerifyCode(id string, code string) (ok bool) { + if code == memory.Code[id] { + ok = true + deleteCode(id) + } + return } + +// deleteCode 删除验证码 +func deleteCode(id string) { delete(memory.Code, id) }
internal/app/kongchuanhujiao/account/apis.go+1 −1 modified@@ -41,7 +41,7 @@ type PostLoginReq struct { // 调用方法:POST apis/accounts/login func (a *APIs) PostLogin(v *PostLoginReq) *kongchuanhujiao.Response { - if v.Code != account.GetCode(v.ID) || v.Code == "" { // FIXME datahub 鉴权 + if account.VerifyCode(v.ID, v.Code) || v.Code == "" { return kongchuanhujiao.GenerateErrResp(1, "验证码有误") }
internal/app/kongchuanhujiao/account/utils.go+1 −18 modified@@ -2,10 +2,6 @@ package account import ( "errors" - "math/rand" - "strconv" - "time" - "github.com/kongchuanhujiao/server/internal/app/client" "github.com/kongchuanhujiao/server/internal/app/client/message" "github.com/kongchuanhujiao/server/internal/app/datahub/pkg/account" @@ -22,27 +18,14 @@ func sendCode(id string) (err error) { logger.Error("发送验证码失败", zap.Error(err)) return } - if len(a) == 0 { return errors.New("账号不存在") } - rand.Seed(time.Now().UnixNano()) - c := strconv.FormatFloat(rand.Float64(), 'f', -1, 64)[2:6] - client.GetClient().SendMessage( - message.NewTextMessage("您的验证码是:" + c + ",请勿泄露给他人。有效期5分钟"). + message.NewTextMessage("您的验证码是:" + account.GenerateCode(id) + ",请勿泄露给他人。有效期5分钟"). SetTarget(&message.Target{ID: a[0].QQ}), ) - account.WriteCode(id, c) - - go func() { - timer := time.NewTimer(5 * time.Minute) - defer timer.Stop() - <-timer.C - account.DeleteCode(id) - }() - return }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-8wrg-m8vm-5fvjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-21403ghsaADVISORY
- github.com/kongchuanhujiao/server/commit/9a125624f219e496bdf4b07b404816d5a309bdc1ghsax_refsource_MISCWEB
- github.com/kongchuanhujiao/server/security/advisories/GHSA-8wrg-m8vm-5fvjghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.