reports/GO-2020-0017.yaml - vulndb - Git at Google

 packages:
   - module: github.com/dgrijalva/jwt-go
     symbols:
       - MapClaims.VerifyAudience
     versions:
       - introduced: v0.0.0-20150717181359-44718f8a89b0
   - module: github.com/dgrijalva/jwt-go/v4
     symbols:
       - MapClaims.VerifyAudience
     versions:
       - fixed: v4.0.0-preview1
 description: |
     If a JWT contains an audience claim with an array of strings, rather
     than a single string, and MapClaims.VerifyAudience is called with
     req set to false, then audience verification will be bypassed,
     allowing an invalid set of audiences to be provided.
 published: 2021-04-14T20:04:52Z
 cves:
   - CVE-2020-26160
 ghsas:
   - GHSA-w73w-5m7g-f7qc
 credit: '@christopher-wong'
 links:
     commit: https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab
     context:
       - https://github.com/dgrijalva/jwt-go/issues/422
	packages:
	- module: github.com/dgrijalva/jwt-go
	symbols:
	- MapClaims.VerifyAudience
	versions:
	- introduced: v0.0.0-20150717181359-44718f8a89b0
	- module: github.com/dgrijalva/jwt-go/v4
	symbols:
	- MapClaims.VerifyAudience
	versions:
	- fixed: v4.0.0-preview1
	description: \|
	If a JWT contains an audience claim with an array of strings, rather
	than a single string, and MapClaims.VerifyAudience is called with
	req set to false, then audience verification will be bypassed,
	allowing an invalid set of audiences to be provided.
	published: 2021-04-14T20:04:52Z
	cves:
	- CVE-2020-26160
	ghsas:
	- GHSA-w73w-5m7g-f7qc
	credit: '@christopher-wong'
	links:
	commit: https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab
	context:
	- https://github.com/dgrijalva/jwt-go/issues/422