GHSA-w73w-5m7g-f7qc

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-w73w-5m7g-f7qc/GHSA-w73w-5m7g-f7qc.json
Aliases
Published
2021-05-18T21:08:21Z
Modified
2021-06-28T21:32:34Z
Details

jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

References

Affected packages

Go / github.com/dgrijalva/jwt-go

github.com/dgrijalva/jwt-go

Affected ranges

Type
SEMVER
Events
Introduced
0
Last affected
3.2.0

Affected versions