GO-2020-0011

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2020-0011

Import Source

https://vuln.go.dev/ID/GO-2020-0011.json

JSON Data

https://api.osv.dev/v1/vulns/GO-2020-0011

Withdrawn

2024-05-15T05:37:11.010091Z

Published

2021-04-14T20:04:52Z

Modified

2022-08-29T16:50:59Z

Summary

[none]

Details

When decrypting JsonWebEncryption objects with multiple recipients or JsonWebSignature objects with multiple signatures the Decrypt and Verify methods do not indicate which recipient or signature was valid. This may lead a caller to rely on protected headers from an invalid recipient or signature.

References

Affected packages

Go / github.com/square/go-jose

Package

Name: github.com/square/go-jose; View open source insights on deps.dev
Purl: pkg:golang/github.com/square/go-jose

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.0-20160922232413-2c5656adca99

Ecosystem specific

{
    "imports": [
        {
            "symbols": [
                "JsonWebEncryption.Decrypt",
                "JsonWebSignature.Verify"
            ],
            "path": "github.com/square/go-jose"
        }
    ]
}

Database specific

{
    "url": "https://pkg.go.dev/vuln/GO-2020-0011"
}