GO-2020-0011

Source
https://pkg.go.dev/vuln/GO-2020-0011
Import Source
https://vuln.go.dev/ID/GO-2020-0011.json
JSON Data
https://api.osv.dev/v1/vulns/GO-2020-0011
Withdrawn
2024-05-15T05:37:11.010091Z
Published
2021-04-14T20:04:52Z
Modified
2022-08-29T16:50:59Z
Summary
[none]
Details

When decrypting JsonWebEncryption objects with multiple recipients or JsonWebSignature objects with multiple signatures the Decrypt and Verify methods do not indicate which recipient or signature was valid. This may lead a caller to rely on protected headers from an invalid recipient or signature.

References

Affected packages

Go / github.com/square/go-jose

Package

Name
github.com/square/go-jose
View open source insights on deps.dev
Purl
pkg:golang/github.com/square/go-jose

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.0.0-20160922232413-2c5656adca99

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "JsonWebEncryption.Decrypt",
                "JsonWebSignature.Verify"
            ],
            "path": "github.com/square/go-jose"
        }
    ]
}

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2020-0011"
}