Closed Schneider-Electric-Carros closed 3 years ago
This has been reported several times, please review open issue. Maintenance of this project is on pause and a number of us are working to try to move things back into action. Till then this will remain.
Alright, I will just close this issue to avoid duplicates then. Thanks.
Context where the vulnerabilities are detected
Steps to reproduce:
Create a Hello World application importing dgrijalva/jwt-go Build the application Scan the result with Black Duck Binary Analysis
Expected behavior:
No vulnerablities should be reported.
Actual behavior:
1 High vulnerability is detected.
More details on the vulnerability:
High (CVE-2020-26160)
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.