x/vulndb: potential Go vuln in github.com/golang-jwt/jwt: CVE-2024-51744

[GoVulnBot]

Advisory CVE-2024-51744 references a vulnerability in the following Go modules:

Module
github.com/golang-jwt/jwt

Description: golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the v5 branch to the v4 br...

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2024-51744
• FIX: https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c
• WEB: https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r

No existing reports found with this module or alias. See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/golang-jwt/jwt
      vulnerable_at: 3.2.2+incompatible
summary: CVE-2024-51744 in github.com/golang-jwt/jwt
cves:
    - CVE-2024-51744
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2024-51744
    - fix: https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c
    - web: https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r
source:
    id: CVE-2024-51744
    created: 2024-11-04T23:01:09.909623064Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/626575 mentions this issue: data/reports: add GO-2024-3250

[gopherbot]

Change https://go.dev/cl/626156 mentions this issue: data/reports: update GO-2024-3250