Security Advisories

CGA-hpm9-h769-jfrh

Published

Last updated

https://images.chainguard.dev/security/CGA-hpm9-h769-jfrh

Package

gitness

Latest Update

Fixed

Fixed Version

3.0.0_beta5-r0

Aliases

CVE-2020-26160
GHSA-w73w-5m7g-f7qc

Severity

7.5

High

CVSS V3

Summary

Authorization bypass in github.com/dgrijalva/jwt-go

Description

jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

References

https://nvd.nist.gov/vuln/detail/CVE-2020-26160
https://github.com/advisories/GHSA-w73w-5m7g-f7qc
https://github.com/dgrijalva/jwt-go/issues/422
https://github.com/dgrijalva/jwt-go/issues/462
https://github.com/dgrijalva/jwt-go/pull/426
https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab
https://github.com/dgrijalva/jwt-go
https://pkg.go.dev/vuln/GO-2020-0017
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CGA-hpm9-h769-jfrh

Severity

Summary

Description

References

Updates

Product

Why Chainguard

Customers

Company

Resources