Security issue with github.com/dgrijalva/jwt-go #58
Comments
|
I might be misunderstanding things and it looks like there is a patched version mentioned here: dgrijalva/jwt-go#463 |
|
@rbastic this was already fixed, but you have to upgrade to v2.0.3 or later (which means changing the import to github.com/bradleyfalzon/ghinstallation/v2) |
|
Thanks! |
ghost
closed this as This issue was closed.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
When using this package in my code, I receive the following Dependabot alert from GitHub:
CVE-2020-26160
high severity
Vulnerable versions: <= 3.2.0
Patched version: No fix
jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1
--
Is it possible to migrate/upgrade to golang-jwt so that we can fix this vulnerability?
Kind regards,
Ryan Bastic
The text was updated successfully, but these errors were encountered: