reports/GO-2020-0011.yaml - vulndb - Git at Google

 module: github.com/square/go-jose
 versions:
   - fixed: v0.0.0-20160922232413-2c5656adca99
 description: |
   When decrypting JsonWebEncryption objects with multiple recipients
   or JsonWebSignature objects with multiple signatures the Decrypt
   and Verify methods do not indicate which recipient or signature was
   valid. This may lead a caller to rely on protected headers from an
   invalid recipient or signature.
 cves:
   - CVE-2016-9122
 credit: Quan Nguyen from Google's Information Security Engineering Team
 symbols:
   - JsonWebEncryption.Decrypt
   - JsonWebSignature.Verify
 links:
   commit: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
   context:
     - https://www.openwall.com/lists/oss-security/2016/11/03/1
	module: github.com/square/go-jose
	versions:
	- fixed: v0.0.0-20160922232413-2c5656adca99
	description: \|
	When decrypting JsonWebEncryption objects with multiple recipients
	or JsonWebSignature objects with multiple signatures the Decrypt
	and Verify methods do not indicate which recipient or signature was
	valid. This may lead a caller to rely on protected headers from an
	invalid recipient or signature.
	cves:
	- CVE-2016-9122
	credit: Quan Nguyen from Google's Information Security Engineering Team
	symbols:
	- JsonWebEncryption.Decrypt
	- JsonWebSignature.Verify
	links:
	commit: https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
	context:
	- https://www.openwall.com/lists/oss-security/2016/11/03/1