Package: golang-github-dgrijalva-jwt-go / 3.2.0-3
Metadata
Package | Version | Patches format |
---|---|---|
golang-github-dgrijalva-jwt-go | 3.2.0-3 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
0001 CVE 2020 26160.patch | (download) |
claims.go |
45 32 + 13 - 0 ! |
cve-2020-26160 | jwt-go before 4.0.0-preview1 allows attackers to bypass intended | access restrictions in situations with []string{} for m["aud"] (which | is allowed by the specification). Because the type assertion fails, "" | is the value of aud. This is a security problem if the JWT token is | presented to a service that lacks its own audience check. https://github.com/dgrijalva/jwt-go/issues/428 https://github.com/dgrijalva/jwt-go/pull/286 |
1