blob: 81cb4ea2d3ea0e1a34bf5d1e3e1ee6ea62ce3f77 [file] [log] [blame]
id: GO-2022-0945
modules:
- module: gopkg.in/square/go-jose.v1
versions:
- fixed: 1.1.0
vulnerable_at: 1.0.0-20160831185616-c7581939a365
packages:
- package: gopkg.in/square/go-jose.v1
symbols:
- JsonWebSignature.Verify
- ecDecrypterSigner.decryptKey
- rawJsonWebKey.ecPublicKey
derived_symbols:
- JsonWebEncryption.Decrypt
- JsonWebKey.UnmarshalJSON
- package: gopkg.in/square/go-jose.v1/cipher
symbols:
- DeriveECDHES
- NewConcatKDF
- cbcAEAD.Seal
- cbcAEAD.computeAuthTag
- padBuffer
- resize
derived_symbols:
- cbcAEAD.Open
summary: Signature validation bypass in gopkg.in/square/go-jose.v1
description: |-
The go-jose library suffers from multiple signatures exploitation. When
validating a signed message, the API did not indicate which signature was valid,
which creates the potential for confusion.
published: 2022-08-22T17:59:45Z
cves:
- CVE-2016-9122
ghsas:
- GHSA-77gc-fj98-665h
credits:
- Quan Nguyen from Google's Information Security Engineering Team
references:
- advisory: https://www.openwall.com/lists/oss-security/2016/11/03/1
- fix: https://github.com/square/go-jose/pull/111
- fix: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
- web: https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
- web: https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
review_status: REVIEWED