blob: 205acd65ea1f67c5362762d1947b9623f4f825b2 [file] [log] [blame]
{
"schema_version": "1.3.1",
"id": "GO-2022-0945",
"modified": "0001-01-01T00:00:00Z",
"published": "2022-08-22T17:59:45Z",
"aliases": [
"CVE-2016-9122",
"GHSA-77gc-fj98-665h"
],
"summary": "Signature validation bypass in gopkg.in/square/go-jose.v1",
"details": "The go-jose library suffers from multiple signatures exploitation. When validating a signed message, the API did not indicate which signature was valid, which creates the potential for confusion.",
"affected": [
{
"package": {
"name": "gopkg.in/square/go-jose.v1",
"ecosystem": "Go"
},
"ranges": [
{
"type": "SEMVER",
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
]
}
],
"ecosystem_specific": {
"imports": [
{
"path": "gopkg.in/square/go-jose.v1",
"symbols": [
"JsonWebEncryption.Decrypt",
"JsonWebKey.UnmarshalJSON",
"JsonWebSignature.Verify",
"ecDecrypterSigner.decryptKey",
"rawJsonWebKey.ecPublicKey"
]
},
{
"path": "gopkg.in/square/go-jose.v1/cipher",
"symbols": [
"DeriveECDHES",
"NewConcatKDF",
"cbcAEAD.Open",
"cbcAEAD.Seal",
"cbcAEAD.computeAuthTag",
"padBuffer",
"resize"
]
}
]
}
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://www.openwall.com/lists/oss-security/2016/11/03/1"
},
{
"type": "FIX",
"url": "https://github.com/square/go-jose/pull/111"
},
{
"type": "FIX",
"url": "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6"
},
{
"type": "WEB",
"url": "https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96"
},
{
"type": "WEB",
"url": "https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507"
}
],
"credits": [
{
"name": "Quan Nguyen from Google's Information Security Engineering Team"
}
],
"database_specific": {
"url": "https://pkg.go.dev/vuln/GO-2022-0945"
}
}