CVE-2024-51744 — Improper Handling of Exceptional Conditions in JWT
Severity
3.1LOWNVD
EPSS
0.1%
top 81.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 4
Latest updateNov 12
Description
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid …
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4
Affected Packages23 packages
▶debiandebian/golang-github-golang-jwt-jwt< golang-github-golang-jwt-jwt 5.0.0+really4.5.2-1 (forky)
🔴Vulnerability Details
4OSV▶
Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt↗2024-11-12
GHSA▶
Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations↗2024-11-04
OSV▶
Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations↗2024-11-04
📋Vendor Advisories
3Microsoft▶
Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt↗2024-11-12
Red Hat▶
golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt↗2024-11-04
Debian▶
CVE-2024-51744: golang-github-golang-jwt-jwt - golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of t...↗2024
🕵️Threat Intelligence
2💬Community
1Bugzilla▶
CVE-2024-51744 golang-jwt: Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt↗2024-11-04