| id: GO-2020-0017 |
| modules: |
| - module: github.com/dgrijalva/jwt-go |
| versions: |
| - introduced: 0.0.0-20150717181359-44718f8a89b0 |
| vulnerable_at: 3.2.0+incompatible |
| packages: |
| - package: github.com/dgrijalva/jwt-go |
| symbols: |
| - MapClaims.VerifyAudience |
| - module: github.com/dgrijalva/jwt-go/v4 |
| versions: |
| - fixed: 4.0.0-preview1 |
| vulnerable_at: 4.0.0-20190408202314-32acca36b99f |
| packages: |
| - package: github.com/dgrijalva/jwt-go/v4 |
| symbols: |
| - MapClaims.VerifyAudience |
| summary: Authorization bypass in github.com/dgrijalva/jwt-go |
| description: |- |
| If a JWT contains an audience claim with an array of strings, rather than a |
| single string, and MapClaims.VerifyAudience is called with req set to false, |
| then audience verification will be bypassed, allowing an invalid set of |
| audiences to be provided. |
| published: 2021-04-14T20:04:52Z |
| cves: |
| - CVE-2020-26160 |
| ghsas: |
| - GHSA-w73w-5m7g-f7qc |
| credits: |
| - '@christopher-wong' |
| references: |
| - fix: https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab |
| - web: https://github.com/dgrijalva/jwt-go/issues/422 |
| review_status: REVIEWED |