mirror of
https://github.com/0xMarcio/cve.git
synced 2025-05-08 11:36:33 +00:00
24 lines
1.0 KiB
Markdown
24 lines
1.0 KiB
Markdown
|
### [CVE-2020-26160](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160)
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
### Description
|
||
|
|
|
||
|
|
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
|
||
|
|
|
||
|
|
### POC
|
||
|
|
|
||
|
|
#### Reference
|
||
|
|
No PoCs from references.
|
||
|
|
|
||
|
|
#### Github
|
||
|
|
- https://github.com/ARPSyndicate/cvemon
|
||
|
|
- https://github.com/chair6/test-go-container-images
|
||
|
|
- https://github.com/finnigja/test-go-container-images
|
||
|
|
- https://github.com/k1LoW/oshka
|
||
|
|
- https://github.com/laojianzi/laojianzi
|
||
|
|
- https://github.com/naveensrinivasan/stunning-tribble
|
||
|
|
- https://github.com/novalagung/mypullrequests
|
||
|
|
|