Authorization bypass in github.com/dgrijalva/jwt-go
Overview
Source
ID
GHSA-w73w-5m7g-f7qc
Aliases
CVE-2020-26160
GO-2020-0017
Affected package
Description
jwt-go allows attackers to bypass intended access restrictions in situations with `[]string{}` for `m["aud"]` (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to [golang-jwt](https://github.com/golang-jwt/jwt) at version 3.2.1
Impact
Severity
help_outline
Latest version of the CVSS score reported by the source of the advisory.
7.5 HIGH
Reference links
Summary
35.90k
Total packages affected
help_outline
Packages with at least one version that is affected by the advisory or has an affected dependency.
2.85k
Packages with a known fix
help_outline
Packages with versions affected by the advisory that have a greater version that is not affected.
2.67%
Total ecosystem affected
help_outline
The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).
Affected Version: Introduced: 0.0.0-20150717181359-44718f8a89b0, Last Affected: 3.2.0
Affected
Affected Version: Introduced: 0, Fixed: 4.0.0-preview1