CVE-2020-26160Improper Authentication in Dgrijalva Jwt-go V4

CWE-287Improper AuthenticationCWE-755Improper Handling of Exceptional ConditionsCWE-284Improper Access Control9 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 82.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
Github.com Dgrijalva Jwt-go V4Debian Golang-github-dgrijalva-jwt-goGithub.com Dgrijalva Jwt-go+5 more
Timeline
PublishedSep 30
Latest updateMay 18

Description

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

Gogithub.com/dgrijalva_jwt-go_v4< 4.0.0-preview1
debiandebian/golang-github-dgrijalva-jwt-go< golang-github-dgrijalva-jwt-go 3.2.0-3 (bookworm)
Gogithub.com/dgrijalva_jwt-go0.0.0-20150717181359-44718f8a89b03.2.0+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Authorization bypass in github.com/dgrijalva/jwt-go2021-05-18
GHSA
Authorization bypass in github.com/dgrijalva/jwt-go2021-05-18
OSV
Authorization bypass in github.com/dgrijalva/jwt-go2021-04-14
OSV
CVE-2020-26160: jwt-go before 42020-09-30

📋Vendor Advisories

3
Red Hat
jwt-go: access restriction bypass vulnerability2020-09-15
Microsoft
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fail2020-09-08
Debian
CVE-2020-26160: golang-github-dgrijalva-jwt-go - jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrict...2020

💬Community

1
Bugzilla
CVE-2020-26160 jwt-go: access restriction bypass vulnerability2020-09-29