CVE-2016-9122

Source

https://nvd.nist.gov/vuln/detail/CVE-2016-9122

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9122.json

Aliases

GHSA-77gc-fj98-665h
GO-2020-0011
GO-2022-0945

Published

2017-03-28T02:59:00Z

Modified

2023-11-08T03:58:37.812163Z

Details

go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

References

http://www.openwall.com/lists/oss-security/2016/11/03/1
https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
https://hackerone.com/reports/169629

Affected packages

Git / github.com/square/go-jose

Affected ranges

Type: GIT
Repo: https://github.com/square/go-jose
Events: Introduced

0The exact introduced commit is unknown

Fixed

2c5656adca9909843c4ff50acf1d2cf8f32da7e6