This repository has been archived by the owner on May 21, 2022. It is now read-only.
1 High vulnerability detected when using an automatic vulnerability-detection tool #469
Comments
|
This has been reported several times, please review open issue. Maintenance of this project is on pause and a number of us are working to try to move things back into action. Till then this will remain. |
|
Alright, I will just close this issue to avoid duplicates then. Thanks. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Context where the vulnerabilities are detected
Steps to reproduce:
Create a Hello World application importing dgrijalva/jwt-go
Build the application
Scan the result with Black Duck Binary Analysis
Expected behavior:
No vulnerablities should be reported.
Actual behavior:
1 High vulnerability is detected.
More details on the vulnerability:
High (CVE-2020-26160)
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
The text was updated successfully, but these errors were encountered: