Skip to content
This repository has been archived by the owner on Dec 22, 2021. It is now read-only.

migrate to golang-jwt #2

Open
v0lkan opened this issue Dec 8, 2021 · 0 comments
Open

migrate to golang-jwt #2

v0lkan opened this issue Dec 8, 2021 · 0 comments

Comments

@v0lkan
Copy link
Member

v0lkan commented Dec 8, 2021

CVE-2020-26160

high severity
Vulnerable versions: <= 3.2.0
Patched version: No fix
jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1
@v0lkan v0lkan added this to STUFF Dec 8, 2021
@v0lkan v0lkan removed this from STUFF Dec 22, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@v0lkan