blob: 26e16127fa40b9a5a01d559b8a247ca1f87b022d [file] [log] [blame]
module: github.com/square/go-jose
versions:
- fixed: v0.0.0-20160922232413-2c5656adca99
description: |
When decrypting JsonWebEncryption objects with multiple recipients
or JsonWebSignature objects with multiple signatures the Decrypt
and Verify methods do not indicate which recipient or signature was
valid. This may lead a caller to rely on protected headers from an
invalid recipient or signature.
cves:
- CVE-2016-9122
credit: Quan Nguyen from Google's Information Security Engineering Team
symbols:
- JsonWebEncryption.Decrypt
- JsonWebSignature.Verify
links:
commit: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
context:
- https://www.openwall.com/lists/oss-security/2016/11/03/1