reports/GO-2020-0011.toml - vulndb - Git at Google

 package = "github.com/square/go-jose"

 description = """
 When decrypting JsonWebEncryption objects with multiple recipients
 or JsonWebSignature objects with multiple signatures the Decrypt
 and Verify methods do not indicate which recipient or signature was
 valid. This may lead a caller to rely on protected headers from an
 invalid recipient or signature.
 """

 cve = "CVE-2016-9122"

 credit = "Quan Nguyen from Google's Information Security Engineering Team"

 symbols = ["JsonWebEncryption.Decrypt", "JsonWebSignature.Verify"]

 [[versions]]
 fixed = "v0.0.0-20160922232413-2c5656adca99"

 [links]
 commit = "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6"
 context = ["https://www.openwall.com/lists/oss-security/2016/11/03/1"]
	package = "github.com/square/go-jose"

	description = """
	When decrypting JsonWebEncryption objects with multiple recipients
	or JsonWebSignature objects with multiple signatures the Decrypt
	and Verify methods do not indicate which recipient or signature was
	valid. This may lead a caller to rely on protected headers from an
	invalid recipient or signature.
	"""

	cve = "CVE-2016-9122"

	credit = "Quan Nguyen from Google's Information Security Engineering Team"

	symbols = ["JsonWebEncryption.Decrypt", "JsonWebSignature.Verify"]

	[[versions]]
	fixed = "v0.0.0-20160922232413-2c5656adca99"

	[links]
	commit = "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6"
	context = ["https://www.openwall.com/lists/oss-security/2016/11/03/1"]