GO-2022-0945

Source

https://pkg.go.dev/vuln/GO-2022-0945

Import Source

https://vuln.go.dev/ID/GO-2022-0945.json

Aliases

Published

2022-08-22T17:59:45Z

Modified

2023-11-08T03:58:37.812163Z

Details

The go-jose library suffers from multiple signatures exploitation. When validating a signed message, the API did not indicate which signature was valid, which creates the potential for confusion.

References

Affected packages

Go / gopkg.in/square/go-jose.v1

Package

Name: gopkg.in/square/go-jose.v1

Affected ranges

Type: SEMVER
Events: Introduced

0The exact introduced commit is unknown

Fixed

1.1.0

Ecosystem specific

{
    "imports": [
        {
            "path": "gopkg.in/square/go-jose.v1",
            "symbols": [
                "JsonWebEncryption.Decrypt",
                "JsonWebKey.UnmarshalJSON",
                "JsonWebSignature.Verify",
                "ecDecrypterSigner.decryptKey",
                "rawJsonWebKey.ecPublicKey"
            ]
        },
        {
            "path": "gopkg.in/square/go-jose.v1/cipher",
            "symbols": [
                "DeriveECDHES",
                "NewConcatKDF",
                "cbcAEAD.Open",
                "cbcAEAD.Seal",
                "cbcAEAD.computeAuthTag",
                "padBuffer",
                "resize"
            ]
        }
    ]
}