jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
{ "availability": "No subscription required", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "2.3.7-0ubuntu0.16.04.1", "binary_name": "juju" }, { "binary_version": "2.3.7-0ubuntu0.16.04.1", "binary_name": "juju-2.0" }, { "binary_version": "2.3.7-0ubuntu0.16.04.1", "binary_name": "juju-2.0-dbgsym" } ] }