Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT-go package is vulnerable #62

Closed
ManavIBM opened this issue Sep 29, 2021 · 1 comment
Closed

JWT-go package is vulnerable #62

ManavIBM opened this issue Sep 29, 2021 · 1 comment
Assignees
@jinzhu

Comments

@ManavIBM
Copy link

Playground link - N/A

The package github.com/dgrijalva/jwt-go introduces a vulnerabiltiy to the postgres driver for gorm

Details of vulnerability:

github.com/dgrijalva/jwt-go is a go implementation of JSON Web Tokens.

Affected versions of this package are vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.

Remediation
Upgrade github.com/dgrijalva/jwt-go to version 4.0.0-preview1 or higher.
@jinzhu
Copy link
Member

jinzhu commented Oct 9, 2021

Hi @ManavIBM

We don't rely on the package, thank you for your report.

@jinzhu jinzhu closed this as completed Oct 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jinzhu jinzhu

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jinzhu @ManavIBM