Описание
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.
Отчет
The github.com/dgrijalva/jwt-go module is an indirect dependency of the k8s.io/client-go module pulled into Quay Bridge, and Setup operators via the Operator's SDK generated code. The k8s.io/client-go module does not use jwt-go in an unsafe way [1]. Red Hat Quay components have been marked as wontfix. This may be fixed in the future. Similar to Quay, multiple OpenShift Container Platform (OCP) containers include jwt-go as a transient dependency due to go-autorest [1]. As such, those containers do not use jwt-go in an unsafe way. They have been marked wontfix at this time and may be fixed in a future update. Same as Quay and OpenShift Container Platform, components shipped with Red Hat OpenShift Container Storage 4 do not use jwt-go in an unsafe way and hence this issue has been rated as having a security impact of Low. A future update may address this issue. Red Hat Gluster Storage 3 shipped multi-cloud-object-gateway-cli as a technical preview and is not currently planned to be addressed in future updates, hence the multi-cloud-object-gateway-cli package will not be fixed. [1] https://github.com/Azure/go-autorest/issues/568#issuecomment-703804062
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Distributed Tracing Jaeger 1 | distributed-tracing/jaeger-rhel7-operator | Not affected | ||
| OpenShift Service Mesh 1 | kiali | Will not fix | ||
| OpenShift Service Mesh 1 | servicemesh | Will not fix | ||
| OpenShift Service Mesh 1 | servicemesh-operator | Will not fix | ||
| OpenShift Service Mesh 1 | servicemesh-prometheus | Will not fix | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | jwt-go | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift-cluster-autoscaler | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | atomic-openshift-service-idler | Will not fix | ||
| Red Hat OpenShift Container Platform 3.11 | openshift3/ose-service-catalog | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
jwt-go before 4.0.0-preview1 allows attackers to bypass intended acces ...
EPSS
7.5 High
CVSS3