Access Restriction Bypass Affecting github.com/dgrijalva/jwt-go package, versions <4.0.0-preview1
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Threat Intelligence
EPSS
0.18% (54th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
- published 13 Sep 2020
- disclosed 30 Jul 2020
- credit christopher-wong
Introduced: 30 Jul 2020
CVE-2020-26160 Open this link in a new tabHow to fix?
Upgrade github.com/dgrijalva/jwt-go to version 4.0.0-preview1 or higher.
Overview
github.com/dgrijalva/jwt-go is a go implementation of JSON Web Tokens.
Affected versions of this package are vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.