GO-2020-0011

Source

https://pkg.go.dev/vuln/GO-2020-0011

Import Source

https://vuln.go.dev/ID/GO-2020-0011.json

Aliases

Published

2021-04-14T20:04:52Z

Modified

2023-11-08T03:58:37.812163Z

Details

When decrypting JsonWebEncryption objects with multiple recipients or JsonWebSignature objects with multiple signatures the Decrypt and Verify methods do not indicate which recipient or signature was valid. This may lead a caller to rely on protected headers from an invalid recipient or signature.

References

Affected packages

Go / github.com/square/go-jose

Package

Name: github.com/square/go-jose

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

0.0.0-20160922232413-2c5656adca99

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/square/go-jose",
            "symbols": [
                "JsonWebEncryption.Decrypt",
                "JsonWebSignature.Verify"
            ]
        }
    ]
}

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2020-0011"
}