search

dgrijalva / jwt-go

ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:
https://github.com/golang-jwt/jwt
MIT License
10.78k stars 997 forks source link

1 High vulnerability detected when using an automatic vulnerability-detection tool #469

Closed Schneider-Electric-Carros closed 3 years ago

Schneider-Electric-Carros commented 3 years ago

Context where the vulnerabilities are detected

Steps to reproduce:

Create a Hello World application importing dgrijalva/jwt-go Build the application Scan the result with Black Duck Binary Analysis

Expected behavior:

No vulnerablities should be reported.

Actual behavior:

1 High vulnerability is detected.

More details on the vulnerability:

High (CVE-2020-26160)

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

ripienaar commented 3 years ago

This has been reported several times, please review open issue. Maintenance of this project is on pause and a number of us are working to try to move things back into action. Till then this will remain.

boddumanohar commented 3 years ago

related issues: https://github.com/dgrijalva/jwt-go/issues/428 https://github.com/dgrijalva/jwt-go/issues/463

Schneider-Electric-Carros commented 3 years ago

Alright, I will just close this issue to avoid duplicates then. Thanks.