mirror of
https://github.com/0xMarcio/cve.git
synced 2025-05-07 11:06:19 +00:00
1.0 KiB
1.0 KiB
CVE-2020-26160
Description
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
POC
Reference
No PoCs from references.
Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/chair6/test-go-container-images
- https://github.com/finnigja/test-go-container-images
- https://github.com/k1LoW/oshka
- https://github.com/laojianzi/laojianzi
- https://github.com/naveensrinivasan/stunning-tribble
- https://github.com/novalagung/mypullrequests