CVE-2020-26160 @ Go-github.zerozr99.workers.dev/dgrijalva/jwt-go-v3.2.0

**Vulnerable Package** issue exists @ **Go\-github.com/dgrijalva/jwt\-go\-v3.2.0** in branch **main**

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

**Namespace:** Yoavast
**Repository:** CX-AST
**Repository Url:** https://github.com/Yoavast/CX-AST
**CxAST\-Project:** Yoavast/CX-AST
**CxAST platform scan:** [f4e2badb\-d784\-4b21\-beea\-d2a1a654b646](https://eu.ast.checkmarx.net/projects/6a184a17-03db-4e31-adbc-afd64727f949/scans?id=f4e2badb-d784-4b21-beea-d2a1a654b646&branch=main)
**Branch:** main
**Application:** CX-AST
**Severity:** HIGH
**State:** NOT_IGNORED
**Status:** RECURRENT
**CWE:** CWE-755


----
**Additional Info**
**Attack vector:** NETWORK
**Attack complexity:** LOW
**Confidentiality impact:** HIGH
**Availability impact:** NONE
**Remediation Upgrade Recommendation:** v3.2.1-0.20180308231308-06ea1031745c+incompatible


----
**References**
[Advisory](https://github.com/advisories/GHSA-w73w-5m7g-f7qc)
[Advisory](https://bugzilla.redhat.com/show_bug.cgi?id=1883371)
[Pull request](https://github.com/dgrijalva/jwt-go/pull/426)
[Issue](https://github.com/dgrijalva/jwt-go/issues/422)


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2020-26160 @ Go-github.zerozr99.workers.dev/dgrijalva/jwt-go-v3.2.0 #69

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

CVE-2020-26160 @ Go-github.zerozr99.workers.dev/dgrijalva/jwt-go-v3.2.0 #69

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions