search

hashicorp / consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
https://www.consul.io
Other
28.22k stars 4.41k forks source link

CVE-2020-26160: Vulnerability in jwt-go module #11253

Closed grantliu3 closed 2 years ago

grantliu3 commented 2 years ago

Overview of the Issue

Our security scan tool found an vulnerability regarding jwt-go in Consul image. The CVE link: https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-26160

Is it possible to bump up the version of jwt-go to v4.0.0-preview1 to address the CVE? Or could you please confirm whether Consul is affected by this CVE of jwt-go or not? Thanks in advance!

Reproduction Steps

Steps to reproduce this issue, eg:

  1. Build Consul Docker image refer to dockerfile: https://github.com/hashicorp/docker-consul/blob/master/ubi/Dockerfile
  2. Scan the image using security scan tool

Consul info for both Client and Server

Consul version: v1.10.2

Log Fragments

{
  "complianceIssues": [],
  "vulnerabilities": [
    {
      "applicableRules": [
        "<v4.0.0-preview1"
      ],
      "cause": "",
      "cri": false,
      "cve": "CVE-2020-26160",
      "cvss": 7.7,
      "description": "jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[aud] (which is allowed by the specification). Because the type assertion fails,  is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.",
      "discovered": "2021-10-01T14:22:20Z",
      "exploit": "",
      "fixDate": 1601489700,
      "functionLayer": "",
      "id": 416,
      "layerTime": 0,
      "link": "https://nvd.nist.gov/vuln/detail/CVE-2020-26160",
      "packageBinaryPkgs": [],
      "packageLicense": "",
      "packageName": "github.com/dgrijalva/jwt-go",
      "packagePath": "/usr/bin/consul",
      "packageType": "go",
      "packageVersion": "v3.2.0",
      "published": 1601489700,
      "riskFactors": {
        "Attack complexity: low": true,
        "Attack vector: network": true,
        "Has fix": true,
        "High severity": true,
        "Recent vulnerability": true
      },
      "severity": "high",
      "severityCHML": "H",
      "status": "fixed in v4.0.0-preview1",
      "templates": null,
      "text": "",
      "title": "",
      "twistlock": false,
      "type": "image",
      "vecStr": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
    }
  ]
}
mikemorris commented 2 years ago

Refs https://github.com/hashicorp/go-discover/pull/174

We've determined that Consul is not affected by this vulnerability (jwt-go is pulled in as a nested dependency under the Azure provider for go-discover and the vulnerable code is not called by any Consul functionality), but do still want to get it cleaned up to remove the false positive.

$ go mod why -m github.com/dgrijalva/jwt-go
# github.com/dgrijalva/jwt-go
github.com/hashicorp/consul/agent
github.com/hashicorp/go-discover
github.com/hashicorp/go-discover/provider/azure
github.com/Azure/go-autorest/autorest
github.com/Azure/go-autorest/autorest/adal
github.com/dgrijalva/jwt-go
grantliu3 commented 2 years ago

@mikemorris thanks a lot for your confirmation! I'm going to mark this CVE as false positive for Consul image in our security scan as well, look forward to remove the false positive in future release, thanks!