jwt-go icon indicating copy to clipboard operation
jwt-go copied to clipboard

Published 20 hours ago verified publisher icon dgrijalva

CVE-2021-33890

Open grantzvolsky opened this issue 2 years ago • 7 comments

This is my last attempt at contacting the maintainers before I make a public disclosure of this vulnerability whose severity I gauge at medium. If you are a maintainer of this repository, please send me an email to echo '[email protected]' | tr 'b-za' 'a-yz'.

grantzvolsky avatar Sep 19 '21 20:09 grantzvolsky

@grantzvolsky the vulnerability is already public.

This repository is not being maintained anymore so I am afraid you should not expect a response.

The development continues in golang-jwt/jwt where this vulnerability is fixed already.

ripienaar avatar Sep 19 '21 20:09 ripienaar

@ripienaar I'm aware that form3tech-oss promptly fixed it in their fork of jwt-go when I notified them, and I see that it is now also fixed in golang-jwt/jwt. Nevertheless, many projects still depend on dgrijalva/jwt-go, so as long as it isn't also fixed here, I should at some point make a public disclosure with the advice to use one of the maintained forks. To my knowledge, your comment is the first public link from the CVE number to the details of the vulnerability, so I might as well do it now. It has been 3 months, anyway.

grantzvolsky avatar Sep 19 '21 21:09 grantzvolsky

There have been countless issuer opened here. Pages of discussion. All mentioning the CVE. Plus there is the non embargoed CVE and is widely known (see all the PRs mentioning it)

Snyk also alerts their users already etc

And it clearly states in the readme this repository is inactive and the linked to issue

suggesting you are somehow making some new thing public is a bit of a stretch let’s be honest after months of effort - while apparently not paying attention. It’s already widely known.

ripienaar avatar Sep 19 '21 21:09 ripienaar

Are you certain you're talking about CVE-2021-33890? Judging by your description, you're probably talking about CVE-2020-26160. These two are not related.

grantzvolsky avatar Sep 19 '21 21:09 grantzvolsky

You’re right. I was being an arsehole please accept my apology.

Regardless, The maintainer will not respond this repo is as good as dead.

ripienaar avatar Sep 19 '21 23:09 ripienaar

Most easy way to get rid of this library is

replace github.com/dgrijalva/jwt-go v3.2.0+incompatible => github.com/golang-jwt/jwt/v4 v4.1.0

and this helps also for 3rd party libs it's a

Community maintained clone of https://github.com/dgrijalva/jwt-go

HaBaLeS avatar Oct 23 '21 20:10 HaBaLeS

@ripienaar I'm aware that form3tech-oss promptly fixed it in their fork of jwt-go when I notified them, and I see that it is now also fixed in golang-jwt/jwt. Nevertheless, many projects still depend on dgrijalva/jwt-go, so as long as it isn't also fixed here, I should at some point make a public disclosure with the advice to use one of the maintained forks. To my knowledge, your comment is the first public link from the CVE number to the details of the vulnerability, so I might as well do it now. It has been 3 months, anyway.

Hi, one of the maintainers of golang-jwt/jwt here. I was just stumbling on this thread here from https://github.com/golang-jwt/jwt/issues/185. Unfortunately, no public information is available (yet) on this CVE and I do not have any further non-public information. Would you mind disclosing more details to me at [email protected], even though you mentioned we already fixed the issue anyway?

We are also in the process to set up a mailing list for security issues (see https://github.com/golang-jwt/jwt/pull/171).

oxisto avatar Mar 24 '22 13:03 oxisto