github.com/dgrijalva/jwt-GO-v3.2.0+incompatible: 1 vulnerabilities (highest severity is: 7.5) #296
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Vulnerable Library - github.com/dgrijalva/jwt-GO-v3.2.0+incompatible
ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:
Library home page: https://proxy.golang.org/github.com/dgrijalva/jwt-go/@v/v3.2.0+incompatible.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Found in HEAD commit: fd9fc1baf3cd86beecdfe1d4b962b3e768b4ff92
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-26160
Vulnerable Library - github.com/dgrijalva/jwt-GO-v3.2.0+incompatible
ARCHIVE - Golang implementation of JSON Web Tokens (JWT). This project is now maintained at:
Library home page: https://proxy.golang.org/github.com/dgrijalva/jwt-go/@v/v3.2.0+incompatible.zip
Path to dependency file: /go.mod
Path to vulnerable library: /go.mod
Dependency Hierarchy:
Found in HEAD commit: fd9fc1baf3cd86beecdfe1d4b962b3e768b4ff92
Found in base branch: master
Vulnerability Details
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
Publish Date: 2020-09-30
URL: CVE-2020-26160
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-w73w-5m7g-f7qc
Release Date: 2020-09-30
Fix Resolution: 4.0.0-preview1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: