Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

jwt-go Access Restriction Bypass Vuln #1647

Closed
3 tasks done
freewil opened this issue Oct 1, 2020 · 7 comments
Closed
3 tasks done

jwt-go Access Restriction Bypass Vuln #1647

freewil opened this issue Oct 1, 2020 · 7 comments
Labels
security

Comments

@freewil
Copy link

freewil commented Oct 1, 2020
edited

Issue Description

For echo's JWT middleware, the version of jwt-go being used is vulnerable to an Access Restriction Bypass. I'm not sure if the vulnerable affects echo, it appears it may not, with the way the lib is currently used. The library appears to be unmaintained and so longer-term, it should be considered moving to an alternative or using a patched version of the library in case implementation changes.

See: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515

Checklist

  • Dependencies installed
  • No typos
  • Searched existing issues and docs
@WhileLoop
Copy link
Contributor

For reference this is tracked in dgrijalva/jwt-go#422.

@orishoshan
Copy link
Contributor

orishoshan commented Nov 2, 2020
edited

Consider using https://github.com/form3tech-oss/jwt-go

@lammel lammel mentioned this issue Nov 20, 2020
Closed
@lammel
Copy link
Contributor

lammel commented Nov 20, 2020

Discussion continues in the related PR #1663

@lammel lammel mentioned this issue Dec 8, 2020
Closed
@lammel lammel added the security label Dec 9, 2020
@pafuent pafuent mentioned this issue Dec 14, 2020
Closed
@drewsilcock drewsilcock mentioned this issue Dec 22, 2020
Closed
3 tasks
@pedromss pedromss mentioned this issue Jan 8, 2021
Closed
@aldas aldas mentioned this issue Apr 6, 2021
Open
@SVilgelm
Copy link

Looks like the maintainer of jwt-go is not going to fix this issue in the v3 release.
@vishr What do you think about upgrading jwt-go to use the v4.preview1 release?

@jpcox
Copy link

jpcox commented Jul 15, 2021

See https://github.com/dgrijalva/jwt-go README.md re the move to https://github.com/golang-jwt/jwt.

Also see https://github.com/golang-jwt/jwt/releases/tag/v3.2.1 for a fix to the CVE. This version is API compatible with 3.2.0 unlike v4.preview1.

@aldas
Copy link
Contributor

aldas commented Jul 15, 2021

Please see #1916 (comment)

@aldas
Copy link
Contributor

aldas commented Aug 2, 2021

done in #1946

@aldas aldas closed this as completed Aug 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@lammel @SVilgelm @freewil @WhileLoop @aldas @orishoshan @jpcox