Authorization bypass in github.com/dgrijalva/jwt-go

Overview

Source

ID

GO-2020-0017

Aliases

CVE-2020-26160

GHSA-w73w-5m7g-f7qc

Affected package

github.com/dgrijalva/jwt-go

github.com/dgrijalva/jwt-go/v4

Description

If a JWT contains an audience claim with an array of strings, rather than a single string, and MapClaims.VerifyAudience is called with req set to false, then audience verification will be bypassed, allowing an invalid set of audiences to be provided.

Impact

Reference links

https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab

https://github.com/dgrijalva/jwt-go/issues/422

https://vuln.go.dev/ID/GO-2020-0017.json

Summary

35.90k

Total packages affected

Packages with at least one version that is affected by the advisory or has an affected dependency.

2.85k

Packages with a known fix

Packages with versions affected by the advisory that have a greater version that is not affected.

2.67%

Total ecosystem affected

The proportion of packages in the ecosystem that are affected by the advisory (fixed or not).

github.com/dgrijalva/jwt-go

Affected Version: Introduced: 0.0.0-20150717181359-44718f8a89b0

Affected

v3.2.0+incompatible

August 23, 2020

v3.1.0+incompatible

April 18, 2019

v3.0.0+incompatible

April 25, 2019

v2.7.0+incompatible

May 8, 2019

v2.6.0+incompatible

April 11, 2022

v2.5.0+incompatible

April 11, 2022

v2.4.0+incompatible

April 11, 2022

v2.3.0+incompatible

April 11, 2022

v2.2.0+incompatible

April 11, 2022

v2.1.0+incompatible

April 11, 2022

v2.0.0+incompatible

April 11, 2022

v1.0.3-0.20210802184156-9742bd7fca1c

September 2, 2021

v1.0.3-0.20200107013213-dc14462fd587

June 22, 2021

v1.0.3-0.20190620180102-5e25c22bd5d6

June 22, 2021

v1.0.3-0.20190530174854-7cd734deee98

June 22, 2021

v1.0.3-0.20180921172315-3af4c746e1c2

June 22, 2021

v1.0.3-0.20180719211823-0b96aaa70776

June 22, 2021

v1.0.3-0.20180309185540-3c771ce311b7

June 22, 2021

v1.0.3-0.20180308231308-06ea1031745c

June 22, 2021

v1.0.3-0.20171019215719-dbeaa9332f19

June 22, 2021

v1.0.3-0.20170608005149-a539ee1a749a

June 22, 2021

v1.0.3-0.20170508165458-6c8dedd55f8a

June 22, 2021

v1.0.3-0.20170201225849-2268707a8f08

June 22, 2021

v1.0.3-0.20170104182250-a601269ab70c

June 22, 2021

v1.0.3-0.20161101193935-9ed569b5d1ac

June 22, 2021

v1.0.3-0.20160831183534-24c63f56522a

June 22, 2021

v1.0.3-0.20160729164851-63734eae1ef5

June 22, 2021

v1.0.3-0.20160705203006-01aeca54ebda

June 22, 2021

v1.0.3-0.20160621201154-c9eaceb2896d

June 22, 2021

v1.0.3-0.20160617170158-f0777076321a

June 22, 2021

v1.0.3-0.20160616191424-268038b363c7

March 6, 2023

v1.0.3-0.20160504172548-40bd0f3b4891

June 22, 2021

v1.0.3-0.20160322221419-668b54691aea

June 22, 2021

v1.0.3-0.20150923202832-f62f64ea222e

June 22, 2021

v1.0.3-0.20150904212456-c1da56349675

June 22, 2021

v1.0.3-0.20150401180636-c48cfd5d9711

June 22, 2021

v1.0.3-0.20141103211122-47b263f02057

June 22, 2021

August 23, 2020

April 11, 2022

April 11, 2022

github.com/dgrijalva/jwt-go/v4

Affected Version: Introduced: 0, Fixed: 4.0.0-preview1

Patched/Unaffected

v4.0.0-preview1.0.20200107205605-c66185887605

January 9, 2020

Affected

v4.0.0-20200107012205-a58974ee87a6

April 11, 2022

v4.0.0-20190521221207-07e10bec2a34

September 4, 2019

v4.0.0-20190410170817-8222805572f2

May 24, 2019

This site uses cookies from Google to deliver its services and to analyze traffic.