cipher package, versions <1.0.5

Attack Complexity

Low
Integrity

High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

SNYK-GOLANG-GITHUBCOMSQUAREGOJOSECIPHER-451468
published

3 Jul 2019
disclosed

28 Mar 2017
credit

Cedric Staub

Report a new vulnerability Found a mistake?

Introduced: 28 Mar 2017

CVE-2016-9123 Open this link in a new tab CWE-190 Open this link in a new tab

How to fix?

Upgrade github.com/square/go-jose/cipher to version 1.0.5 or higher.

Overview

github.com/square/go-jose/cipher is an implementation of JOSE standards (JWE, JWS, JWT) in Go.

Affected versions of this package are vulnerable to Integer Overflow. An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on 32-bit architectures.

References

GitHub Commit
OSS security Advisory

Integer Overflow Affecting github.com/square/go-jose/cipher package, versions <1.0.5

Attack Complexity

Integrity

snyk-id

published

disclosed

credit

Introduced: 28 Mar 2017

How to fix?

Overview

References