blob: c82ccf7ef51163fb52e4b1445bda42b863070189 [file] [log] [blame]
module: github.com/square/go-jose
versions:
- fixed: v0.0.0-20160922232413-2c5656adca99
description: |
When decrypting JsonWebEncryption objects with multiple recipients
or JsonWebSignature objects with multiple signatures the Decrypt
and Verify methods do not indicate which recipient or signature was
valid. This may lead a caller to rely on protected headers from an
invalid recipient or signature.
published: 2021-04-14T20:04:52Z
cves:
- CVE-2016-9122
ghsas:
- GHSA-77gc-fj98-665h
credit: Quan Nguyen from Google's Information Security Engineering Team
symbols:
- JsonWebEncryption.Decrypt
- JsonWebSignature.Verify
links:
commit: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
context:
- https://www.openwall.com/lists/oss-security/2016/11/03/1