GO-2020-0011

Source

https://storage.googleapis.com/go-vulndb/ID/GO-2020-0011.json

Aliases

CVE-2016-9122

Published

2021-04-14T20:04:52Z

Modified

2022-05-13T18:33:00Z

Details

When decrypting JsonWebEncryption objects with multiple recipients or JsonWebSignature objects with multiple signatures the Decrypt and Verify methods do not indicate which recipient or signature was valid. This may lead a caller to rely on protected headers from an invalid recipient or signature.

References

https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
https://www.openwall.com/lists/oss-security/2016/11/03/1

Affected packages

Go / github.com/square/go-jose

github.com/square/go-jose

Affected ranges

Type: SEMVER
Events: Introduced

0

Fixed

0.0.0-20160922232413-2c5656adca99

Affected versions

Ecosystem specific

{
    "symbols": [
        "JsonWebEncryption.Decrypt",
        "JsonWebSignature.Verify"
    ]
}

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2020-0011"
}