| module = "github.com/square/go-jose" |
| |
| description = """ |
| When decrypting JsonWebEncryption objects with multiple recipients |
| or JsonWebSignature objects with multiple signatures the Decrypt |
| and Verify methods do not indicate which recipient or signature was |
| valid. This may lead a caller to rely on protected headers from an |
| invalid recipient or signature. |
| """ |
| |
| cve = "CVE-2016-9122" |
| |
| credit = "Quan Nguyen from Google's Information Security Engineering Team" |
| |
| symbols = ["JsonWebEncryption.Decrypt", "JsonWebSignature.Verify"] |
| |
| [[versions]] |
| fixed = "v0.0.0-20160922232413-2c5656adca99" |
| |
| [links] |
| commit = "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6" |
| context = ["https://www.openwall.com/lists/oss-security/2016/11/03/1"] |