Vulnerability Report: GO-2020-0017

CVE-2020-26160, GHSA-w73w-5m7g-f7qc
Affects: github.com/dgrijalva/jwt-go, github.com/dgrijalva/jwt-go/v4
Published: Apr 14, 2021
Modified: May 20, 2024

If a JWT contains an audience claim with an array of strings, rather than a single string, and MapClaims.VerifyAudience is called with req set to false, then audience verification will be bypassed, allowing an invalid set of audiences to be provided.

Affected Packages

Path

Go Versions

Symbols
github.com/dgrijalva/jwt-go

all versions, no known fixed
- MapClaims.VerifyAudience
github.com/dgrijalva/jwt-go/v4

before v4.0.0-preview1
- MapClaims.VerifyAudience

Aliases

CVE-2020-26160
GHSA-w73w-5m7g-f7qc

References

https://github.com/dgrijalva/jwt-go/commit/ec0a89a131e3e8567adcb21254a5cd20a70ea4ab
https://github.com/dgrijalva/jwt-go/issues/422
https://vuln.go.dev/ID/GO-2020-0017.json

Credits

@christopher-wong

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL