GO-2020-0011

Source
https://storage.googleapis.com/go-vulndb/ID/GO-2020-0011.json
Aliases
  • CVE-2016-9122
Published
2021-04-14T20:04:52Z
Modified
2022-05-13T18:33:00Z
Details

When decrypting JsonWebEncryption objects with multiple recipients or JsonWebSignature objects with multiple signatures the Decrypt and Verify methods do not indicate which recipient or signature was valid. This may lead a caller to rely on protected headers from an invalid recipient or signature.

References

Affected packages

Go / github.com/square/go-jose

github.com/square/go-jose

Affected ranges

Type
SEMVER
Events
Introduced
0
Fixed
0.0.0-20160922232413-2c5656adca99

Affected versions

Ecosystem specific

{
    "symbols": [
        "JsonWebEncryption.Decrypt",
        "JsonWebSignature.Verify"
    ]
}

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2020-0011"
}