blob: 08ddd59ce3a2c2c8745124c0d5b51aaa84994056 [file] [log] [blame]
module: github.com/square/go-jose
versions:
- fixed: v0.0.0-20160922232413-2c5656adca99
description: |
When decrypting JsonWebEncryption objects with multiple recipients
or JsonWebSignature objects with multiple signatures the Decrypt
and Verify methods do not indicate which recipient or signature was
valid. This may lead a caller to rely on protected headers from an
invalid recipient or signature.
published: 2021-04-14T12:00:00Z
cve: CVE-2016-9122
credit: Quan Nguyen from Google's Information Security Engineering Team
symbols:
- JsonWebEncryption.Decrypt
- JsonWebSignature.Verify
links:
commit: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
context:
- https://www.openwall.com/lists/oss-security/2016/11/03/1