auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon qor

Upgrade dgrijalva/jwt-go v3.2.0 to golang-jwt/jwt v4.3.0

Open Clasyc opened this issue 3 years ago • 2 comments

dgrijalva/jwt-go v3.2.0 has a security issue CVE-2020-26160, a security patch does not exist and it is recommended to switch to golang-jwt.

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

https://github.com/golang-jwt/jwt/blob/main/MIGRATION_GUIDE.md

Clasyc avatar Mar 10 '22 23:03 Clasyc

@raven-chen please, can you take a look on this?

Clasyc avatar May 20 '22 07:05 Clasyc

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

theplant-ci avatar Jan 11 '24 07:01 theplant-ci