CVE-2020-26160

**Describe the bug**
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

**To Reproduce**
Steps to reproduce the behavior:
1. [Go to '...'](https://github.com/f5devcentral/container-egress-service/blob/83fb7c3a42098cc9dbdf9c5c1f4711375cd42cd8/go.sum#L76)


**Expected behavior**
Ensure fix is present: https://github.com/dgrijalva/jwt-go/pull/426

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

CVE-2020-26160 #9

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2020-26160 #9

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions