CVE-2020-26160 – jwt-go: access restriction bypass vulnerability

https://notcve.org/view.php?id=CVE-2020-26160

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. jwt-go versiones anteriores a 4.0.0-preview1, permite a atacantes omitir las restricciones de acceso previstas en situaciones con []string{} para m["aud"] (que está permitido por la especificación). Porque la aserción de tipo presenta un fallo, "" es el valor de aud. Este es un problema de seguridad si el token JWT es presentado para un servicio que carece de su propia comprobación de audiencia A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". • https://github.com/dgrijalva/jwt-go/pull/426 https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 https://access.redhat.com/security/cve/CVE-2020-26160 https://bugzilla.redhat.com/show_bug.cgi?id=1883371 • CWE-284: Improper Access Control CWE-287: Improper Authentication CWE-755: Improper Handling of Exceptional Conditions •