blob: 86389536abad0352a169d429ee25cbe50c3b2215 [file] [log] [blame]
module = "github.com/square/go-jose"
description = """
When decrypting JsonWebEncryption objects with multiple recipients
or JsonWebSignature objects with multiple signatures the Decrypt
and Verify methods do not indicate which recipient or signature was
valid. This may lead a caller to rely on protected headers from an
invalid recipient or signature.
"""
cve = "CVE-2016-9122"
credit = "Quan Nguyen from Google's Information Security Engineering Team"
symbols = ["JsonWebEncryption.Decrypt", "JsonWebSignature.Verify"]
[[versions]]
fixed = "v0.0.0-20160922232413-2c5656adca99"
[links]
commit = "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6"
context = ["https://www.openwall.com/lists/oss-security/2016/11/03/1"]