Identifier

CVE-2020-26160

Package Slug

go/github.com/dgrijalva/jwt-go

Vulnerability

Missing Authorization

Description

jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

Affected Versions

All versions up to 3.2.0

Solution

Unfortunately, there is no solution available yet.

Last Modified

2020-10-12

source