data/reports/GO-2022-0945.yaml - vulndb - Git at Google

 modules:
   - module: gopkg.in/square/go-jose.v1
     versions:
       - fixed: 1.1.0
     vulnerable_at: 1.0.0-20160831185616-c7581939a365
     packages:
       - package: gopkg.in/square/go-jose.v1
         symbols:
           - JsonWebSignature.Verify
           - ecDecrypterSigner.decryptKey
           - rawJsonWebKey.ecPublicKey
         derived_symbols:
           - JsonWebEncryption.Decrypt
           - JsonWebKey.UnmarshalJSON
       - package: gopkg.in/square/go-jose.v1/cipher
         symbols:
           - DeriveECDHES
           - NewConcatKDF
           - cbcAEAD.Seal
           - cbcAEAD.computeAuthTag
           - padBuffer
           - resize
         derived_symbols:
           - cbcAEAD.Open
 description: |
     The go-jose library suffers from multiple signatures exploitation. When
     validating a signed message, the API did not indicate which signature was
     valid, which creates the potential for confusion.
 published: 2022-08-22T17:59:45Z
 cves:
   - CVE-2016-9122
 ghsas:
   - GHSA-77gc-fj98-665h
 credit: Quan Nguyen from Google's Information Security Engineering Team
 references:
   - advisory: https://www.openwall.com/lists/oss-security/2016/11/03/1
   - fix: https://github.com/square/go-jose/pull/111
   - fix: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
   - web: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
   - web: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
	modules:
	- module: gopkg.in/square/go-jose.v1
	versions:
	- fixed: 1.1.0
	vulnerable_at: 1.0.0-20160831185616-c7581939a365
	packages:
	- package: gopkg.in/square/go-jose.v1
	symbols:
	- JsonWebSignature.Verify
	- ecDecrypterSigner.decryptKey
	- rawJsonWebKey.ecPublicKey
	derived_symbols:
	- JsonWebEncryption.Decrypt
	- JsonWebKey.UnmarshalJSON
	- package: gopkg.in/square/go-jose.v1/cipher
	symbols:
	- DeriveECDHES
	- NewConcatKDF
	- cbcAEAD.Seal
	- cbcAEAD.computeAuthTag
	- padBuffer
	- resize
	derived_symbols:
	- cbcAEAD.Open
	description: \|
	The go-jose library suffers from multiple signatures exploitation. When
	validating a signed message, the API did not indicate which signature was
	valid, which creates the potential for confusion.
	published: 2022-08-22T17:59:45Z
	cves:
	- CVE-2016-9122
	ghsas:
	- GHSA-77gc-fj98-665h
	credit: Quan Nguyen from Google's Information Security Engineering Team
	references:
	- advisory: https://www.openwall.com/lists/oss-security/2016/11/03/1
	- fix: https://github.com/square/go-jose/pull/111
	- fix: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
	- web: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
	- web: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507