You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on May 18, 2022. It is now read-only.
Description
github.com/dgrijalva/jwt-go has an unpatched vulnerability and it's no longer maintained. It needs to be replaced by github.com/golang-jwt/jwt. Please see the advisory below. This affects all consumers using the Golang SDK to send notifications and findings to IBM SCC.
Advisory GHSA-w73w-5m7g-f7qc
High severity
Vulnerable versions: <= 3.2.0
Patched version: No fix
jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1
The text was updated successfully, but these errors were encountered:
Hey @araujof this SDK is going to sunset very soon, please migrate to the new SDK https://github.com/IBM/scc-go-sdk and as long as the CVE is concerned, we're fixing it.
gary1998
pushed a commit
to gary1998/security-advisor-sdk-go
that referenced
this issue
Feb 9, 2022
Thanks for pushing the fix and pointing me to the new SDK. It would be good to add this information to the README so that other folks don't use the old SDK by mistake.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Type
Security (CVE-2020-26160)
Description
github.com/dgrijalva/jwt-go has an unpatched vulnerability and it's no longer maintained. It needs to be replaced by github.com/golang-jwt/jwt. Please see the advisory below. This affects all consumers using the Golang SDK to send notifications and findings to IBM SCC.
Advisory
GHSA-w73w-5m7g-f7qc
High severity
Vulnerable versions: <= 3.2.0
Patched version: No fix
jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1
The text was updated successfully, but these errors were encountered: