go-sfdc icon indicating copy to clipboard operation
go-sfdc copied to clipboard

Published 20 hours ago verified publisher icon g8rswimmer

Upgrade dgrijalva/jwt-go/v3 to v4 to fix Mend report vulnerabilities

Open shawnhankim opened this issue 5 months ago • 0 comments

Background

  • NIST CVE-2020-26160
    • jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification).
    • Because the type assertion fails, "" is the value of aud.
    • This is a security problem if the JWT token is presented to a service that lacks its own audience check.
  • Related MR for dgrijalva/jwt-go: https://github.com/dgrijalva/jwt-go/pull/426

Fix

  • [x] Add go.mod
  • [x] Upgrade dgrijalva/jwt-go/v3 to v4 to fix Mend report vulnerabilities
  • [x] Fix fields' format of jwt.StandardClaims after upgrading dgrijalva/jwt-go

shawnhankim avatar Sep 03 '24 21:09 shawnhankim