blob: 04f8d3ffc52463ccca5215c51f7188cba6e0eb3b [file] [log] [blame]
module: github.com/dgrijalva/jwt-go
additional_packages:
- module: github.com/dgrijalva/jwt-go/v4
symbols:
- MapClaims.VerifyAudience
versions:
- fixed: v4.0.0-preview1
versions:
- introduced: v0.0.0-20150717181359-44718f8a89b0
description: |
If a JWT contains an audience claim with an array of strings, rather
than a single string, and MapClaims.VerifyAudience is called with
req set to false, then audience verification will be bypassed,
allowing an invalid set of audiences to be provided.
cves:
- CVE-2020-26160
credit: '@christopher-wong'
symbols:
- MapClaims.VerifyAudience
links:
commit: https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab
context:
- https://github.com/dgrijalva/jwt-go/issues/422