search

shaj13 / go-guardian

Go-Guardian is a golang library that provides a simple, clean, and idiomatic way to create powerful modern API and web authentication.
MIT License
559 stars 56 forks source link

Fix for CVE-2024-28180 (Improper Handling of Highly Compressed Data ) introduced through gopkg.in/square/go-jose.v2 #131

Closed hmgowda closed 3 months ago

hmgowda commented 3 months ago

What version of Go are you using (go version)?

$ go version v1.22

Does this issue reproduce with the latest release?

Yes

What version of Go-Guardian are you using ?

Go-Guardian Version:  github.com/shaj13/go-guardian/v2 v2.11.5

What did you do?

Github security scan (dependabot) and checkmarx has reported a CVE in this library that is introduced through gopkg.in/square/go-jose.v2 v2.5.1.

CVE information can be found here : https://github.com/advisories/GHSA-c5q2-7r4c-mv6g The version of go-jose library need to updated. The path with the fix is available in github.com/go-jose/go-jose/v4 4.0.1 onwards.

What did you expect to see?

No Vulnerabilities.

What did you see instead?

Saw CVE-2024-28180 https://github.com/advisories/GHSA-c5q2-7r4c-mv6g

hmgowda commented 3 months ago

@shaj13 do you have plans on addressing this issue? or if I open a PR with a fix for this issue, would it get accepted? Would really appreciated your inputs on this.

shaj13 commented 3 months ago

@shaj13 do you have plans on addressing this issue? or if I open a PR with a fix for this issue, would it get accepted? Would really appreciated your inputs on this.

Yes, I am aware of the issue and currently, there are no plans for a fix. However, if you open a PR with a fix, it would be welcomed and reviewed. Just for context, what strategy are you using? I assume it's JWT. Is it in a production environment?

hmgowda commented 3 months ago

We are using JWT strategy in one of our open sourced components for JWT based authentication and authorization. I will open a PR for this in that case, would go version upgrade along with it also be welcomed?

shaj13 commented 3 months ago

@hmgowda Yes, but that would be a significant change, as it would require a refactor and updates to the CI/CD pipeline as well.

hmgowda commented 3 months ago

@shaj13 I have a PR for this issue https://github.com/shaj13/go-guardian/pull/132 Would appreciate your review and see if this can be merged into master.

shaj13 commented 3 months ago

Thanks @hmgowda, Fixe is included in v2.11.6.

PR #132