| modules: |
| - module: github.com/dgrijalva/jwt-go |
| versions: |
| - introduced: 0.0.0-20150717181359-44718f8a89b0 |
| vulnerable_at: 3.2.0+incompatible |
| packages: |
| - package: github.com/dgrijalva/jwt-go |
| symbols: |
| - MapClaims.VerifyAudience |
| - module: github.com/dgrijalva/jwt-go/v4 |
| versions: |
| - fixed: 4.0.0-preview1 |
| packages: |
| - package: github.com/dgrijalva/jwt-go/v4 |
| symbols: |
| - MapClaims.VerifyAudience |
| description: | |
| If a JWT contains an audience claim with an array of strings, rather |
| than a single string, and MapClaims.VerifyAudience is called with |
| req set to false, then audience verification will be bypassed, |
| allowing an invalid set of audiences to be provided. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2020-26160 |
| ghsas: |
| - GHSA-w73w-5m7g-f7qc |
| credit: '@christopher-wong' |
| references: |
| - fix: https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab |
| - web: https://github.com/dgrijalva/jwt-go/issues/422 |
