| module: github.com/square/go-jose |
| versions: |
| - fixed: v0.0.0-20160922232413-2c5656adca99 |
| description: | |
| When decrypting JsonWebEncryption objects with multiple recipients |
| or JsonWebSignature objects with multiple signatures the Decrypt |
| and Verify methods do not indicate which recipient or signature was |
| valid. This may lead a caller to rely on protected headers from an |
| invalid recipient or signature. |
| published: 2021-04-14T12:00:00Z |
| cve: CVE-2016-9122 |
| credit: Quan Nguyen from Google's Information Security Engineering Team |
| symbols: |
| - JsonWebEncryption.Decrypt |
| - JsonWebSignature.Verify |
| links: |
| commit: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6 |
| context: |
| - https://www.openwall.com/lists/oss-security/2016/11/03/1 |