New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerable dependency in jwt-go v3.2.0 (CVE-2020-26160) #10320
Comments
@moonman81 PRs is welcome. |
I looked into this a little. We are picking up the problem package as a transitive dependency from multiple locations.
|
@moonman81 please note, all released and supported versions of Kubernetes have the same problematic dependency that Helm does. |
|
ETCD is fixed by https://github.com/etcd-io/etcd/pull/13571/files. |
This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs. |
This issue has been marked as stale because it has been open for 90 days with no activity. This thread will be automatically closed in 30 days if no further activity occurs. |
Hi Team,
I've been asked to approve the use of helm v3.7.0 within my organisation, however the source shows as depending upon a vulnerable version of jwt-go (v3.2.0) which has a vulnerability marked as high (CVSS score = 7.7) which is aged by more than 1 year.
As a 'high' vulnerability finding, this will for many teams (where a vulnerability management process is in place) cause an invocation of a 'risk exception process', which could be avoided where the dependency issue is resolved upstream and hence this ask.
This CVE was raised over a year ago as per dgrijalva/jwt-go#482 but alas, the maintainer (presumably "because life...") couldn't fix the issue nor maintain the code in a timely manner, and hence this caused for an official publicly maintained version to be made available here https://github.com/golang-jwt/jwt
It is notable that the fix for this vuln was initially in the v4.0.0-preview1 version which also introduced breaking API changes (which I presume beyond reasons of 'non-release' version code would understandably ward off any appetite to move forward with it).
Since then - the good folk maintaining https://github.com/golang-jwt/jwt have released a fix to the v3.2 branch and now have a v3.2.1 version available here - https://github.com/golang-jwt/jwt/releases/tag/v3.2.1
Please can you consider moving to the community-supported version of jwt-go v3.2.1 because it now has a version which doesn't break the API and should any further vulnerabilities be noted, then I would expect them to happen here and not in the unmaintained and publicly declared deprecated repo of the original author.
Thanks in advance (you'll save us having to undergo another 'risk review' in 3 months time!...)
Warwick
The text was updated successfully, but these errors were encountered: