CVE-2016-9122 — Improper Access Control in Square Go-jose.v1

CWE-284 — Improper Access Control7 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 45.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gopkg.in Square Go-jose.v1 Go-jose Project Go-jose

Timeline

PublishedMar 28

Latest updateAug 22

Description

go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶Gogopkg.in/square_go-jose.v1< 1.1.0

▶NVDgo-jose_project/go-jose1.0.3

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

Signature validation bypass in gopkg.in/square/go-jose.v1↗2022-08-22

▶

OSV

Go JOSE Signature Validation Bypass↗2021-05-18

▶

GHSA

Go JOSE Signature Validation Bypass↗2021-05-18

▶

OSV

CVE-2016-9122: go-jose before 1↗2017-03-28

▶

CVEList

CVE-2016-9122: go-jose before 1↗2017-03-28

▶

📋Vendor Advisories

Debian

CVE-2016-9122: golang-gopkg-square-go-jose.v1 - go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose ...↗2016

▶