reports/GO-2020-0017.toml - vulndb - Git at Google

 package = "github.com/dgrijalva/jwt-go"

 description = """
 If a JWT contains an audience claim with an array of strings, rather
 than a single string, and `MapClaims.VerifyAudience` is called with
 `req` set to `false` then audience verification will be bypassed,
 allowing an invalid set of audiences to be provided.
 """

 cve = "CVE-2020-26160"

 credit = "@christopher-wong"

 symbols = ["MapClaims.VerifyAudience"]

 [[versions]]
 introduced = "v0.0.0-20150717181359-44718f8a89b0"
 fixed = "v4.0.0-20190408214815-ec0a89a131e"

 [[additional_packages]]
 package = "github.com/dgrijalva/jwt-go/v4"
 symbols = ["MapClaims.VerifyAudience"]
 [[additional_packages.versions]]
 fixed = "v4.0.0-20190408214815-ec0a89a131e3"

 [links]
 commit = "https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab"
 context = ["https://github.com/dgrijalva/jwt-go/issues/422"]
	package = "github.com/dgrijalva/jwt-go"

	description = """
	If a JWT contains an audience claim with an array of strings, rather
	than a single string, and `MapClaims.VerifyAudience` is called with
	`req` set to `false` then audience verification will be bypassed,
	allowing an invalid set of audiences to be provided.
	"""

	cve = "CVE-2020-26160"

	credit = "@christopher-wong"

	symbols = ["MapClaims.VerifyAudience"]

	[[versions]]
	introduced = "v0.0.0-20150717181359-44718f8a89b0"
	fixed = "v4.0.0-20190408214815-ec0a89a131e"

	[[additional_packages]]
	package = "github.com/dgrijalva/jwt-go/v4"
	symbols = ["MapClaims.VerifyAudience"]
	[[additional_packages.versions]]
	fixed = "v4.0.0-20190408214815-ec0a89a131e3"

	[links]
	commit = "https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab"
	context = ["https://github.com/dgrijalva/jwt-go/issues/422"]