Skip to content
This repository has been archived by the owner on Feb 24, 2022. It is now read-only.

Remove rotten jwt-go lib #62

Closed
papey opened this issue Aug 10, 2021 · 0 comments · Fixed by #63
Closed

Remove rotten jwt-go lib #62

papey opened this issue Aug 10, 2021 · 0 comments · Fixed by #63
Labels
vulnerability Something is flawed

Comments

@papey
Copy link
Contributor

papey commented Aug 10, 2021

dgrijalva/jwt-go#428

From Dependabots :

jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1
@papey papey added the vulnerability Something is flawed label Aug 10, 2021
@papey papey mentioned this issue Aug 25, 2021
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
vulnerability Something is flawed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: from jwt-go to crystalhq/jwt factorysh/density
1 participant
@papey