Lucene search

[email protected]CVE-2016-9122

HistoryMar 28, 2017 - 2:59 a.m.

CVE-2016-9122

2017-03-2802:59:00

CWE-284

[email protected]

web.nvd.nist.gov

go-jose

cve-2016-9122

security

exploit

signature

validation

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

48.7%

JSON

go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

Affected configurations

NVD

Node

go-jose_projectgo-joseRange≤1.0.3

CPENameOperatorVersion
go-jose_project:go-josego-jose project go-josele1.0.3

CPE	Name	Operator	Version
go-jose_project:go-jose	go-jose project go-jose	le	1.0.3

CNA Affected

[
  {
    "product": "Go JOSE All versions before 1.0.4",
    "vendor": "n/a",
    "versions": [
      {
        "status": "affected",
        "version": "Go JOSE All versions before 1.0.4"
      }
    ]
  }
]