Skip to content
This repository has been archived by the owner on May 18, 2022. It is now read-only.

SECURITY: github.com/dgrijalva/jwt-go needs to be replaced by github.com/golang-jwt/jwt #30

Open
araujof opened this issue Feb 8, 2022 · 2 comments

Comments

@araujof
Copy link

araujof commented Feb 8, 2022

Type
Security (CVE-2020-26160)

Description
github.com/dgrijalva/jwt-go has an unpatched vulnerability and it's no longer maintained. It needs to be replaced by github.com/golang-jwt/jwt. Please see the advisory below. This affects all consumers using the Golang SDK to send notifications and findings to IBM SCC.

Advisory
GHSA-w73w-5m7g-f7qc
High severity
Vulnerable versions: <= 3.2.0
Patched version: No fix
jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1

@gary1998
Copy link
Collaborator

gary1998 commented Feb 9, 2022

Hey @araujof this SDK is going to sunset very soon, please migrate to the new SDK https://github.com/IBM/scc-go-sdk and as long as the CVE is concerned, we're fixing it.

gary1998 pushed a commit to gary1998/security-advisor-sdk-go that referenced this issue Feb 9, 2022
prince737 added a commit that referenced this issue Feb 9, 2022
@araujof
Copy link
Author

araujof commented Feb 9, 2022

Thanks for pushing the fix and pointing me to the new SDK. It would be good to add this information to the README so that other folks don't use the old SDK by mistake.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants