You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
I've not been able to exploit it but it's probably best to update if possible.
The text was updated successfully, but these errors were encountered:
Possible authentication, or access, bypass in required package:
github.com/dgrijalva/jwt-go v3.2.0
https://nvd.nist.gov/vuln/detail/CVE-2020-26160
I've not been able to exploit it but it's probably best to update if possible.
The text was updated successfully, but these errors were encountered: