GHSA-w73w-5m7g-f7qc

Опубликовано: 18 мая 2021

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Authorization bypass in github.com/dgrijalva/jwt-go

jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

Ссылки

Пакеты

Наименование

github.com/dgrijalva/jwt-go

Затронутые версииВерсия исправления

>= 0.0.0-20150717181359-44718f8a89b0, <= 3.2.0

Отсутствует

Наименование

github.com/dgrijalva/jwt-go/v4

Затронутые версииВерсия исправления

< 4.0.0-preview1

4.0.0-preview1

EPSS

Процентиль: 21%

0.00066

Низкий

7.5 High

CVSS3

CVE ID

CVE-2020-26160

Дефекты

CWE-287

CWE-755

Связанные уязвимости

CVE-2020-26160

CVSS3: 7.5

ubuntu

почти 5 лет назад

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.