Access Restriction Bypass Affecting github.com/dgrijalva/jwt-go Open this link in a new tab package, versions <4.0.0-preview1


0.0
high
  • Attack Complexity

    Low

  • Confidentiality

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515

  • published

    13 Sep 2020

  • disclosed

    30 Jul 2020

  • credit

    christopher-wong

How to fix?

Upgrade github.com/dgrijalva/jwt-go to version 4.0.0-preview1 or higher.

Overview

github.com/dgrijalva/jwt-go is a go implementation of JSON Web Tokens.

Affected versions of this package are vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.

References