CVE-2021-33890

[grantzvolsky]

This is my last attempt at contacting the maintainers before I make a public disclosure of this vulnerability whose severity I gauge at medium. If you are a maintainer of this repository, please send me an email to echo 'hsbou@awpmtlz.psh' | tr 'b-za' 'a-yz'.

[ripienaar]

@grantzvolsky the vulnerability is already public.

This repository is not being maintained anymore so I am afraid you should not expect a response.

The development continues in golang-jwt/jwt where this vulnerability is fixed already.

[grantzvolsky]

@ripienaar I'm aware that form3tech-oss promptly fixed it in their fork of jwt-go when I notified them, and I see that it is now also fixed in golang-jwt/jwt. Nevertheless, many projects still depend on dgrijalva/jwt-go, so as long as it isn't also fixed here, I should at some point make a public disclosure with the advice to use one of the maintained forks. To my knowledge, your comment is the first public link from the CVE number to the details of the vulnerability, so I might as well do it now. It has been 3 months, anyway.

[ripienaar]

There have been countless issuer opened here. Pages of discussion. All mentioning the CVE. Plus there is the non embargoed CVE and is widely known (see all the PRs mentioning it)

Snyk also alerts their users already etc

And it clearly states in the readme this repository is inactive and the linked to issue

suggesting you are somehow making some new thing public is a bit of a stretch let’s be honest after months of effort - while apparently not paying attention. It’s already widely known.

[grantzvolsky]

Are you certain you're talking about CVE-2021-33890? Judging by your description, you're probably talking about CVE-2020-26160. These two are not related.

[ripienaar]

You’re right. I was being an arsehole please accept my apology.

Regardless, The maintainer will not respond this repo is as good as dead.

[HaBaLeS]

Most easy way to get rid of this library is

replace github.com/dgrijalva/jwt-go v3.2.0+incompatible => github.com/golang-jwt/jwt/v4 v4.1.0

and this helps also for 3rd party libs it's a

Community maintained clone of https://github.com/dgrijalva/jwt-go

[oxisto]

@ripienaar I'm aware that form3tech-oss promptly fixed it in their fork of jwt-go when I notified them, and I see that it is now also fixed in golang-jwt/jwt. Nevertheless, many projects still depend on dgrijalva/jwt-go, so as long as it isn't also fixed here, I should at some point make a public disclosure with the advice to use one of the maintained forks. To my knowledge, your comment is the first public link from the CVE number to the details of the vulnerability, so I might as well do it now. It has been 3 months, anyway.

Hi, one of the maintainers of golang-jwt/jwt here. I was just stumbling on this thread here from golang-jwt/jwt#185. Unfortunately, no public information is available (yet) on this CVE and I do not have any further non-public information. Would you mind disclosing more details to me at security-jwt@christian-banse.de, even though you mentioned we already fixed the issue anyway?

We are also in the process to set up a mailing list for security issues (see golang-jwt/jwt#171).