jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

🗓️ 11 Sep 2024 07:00:00Reported by MicrosoftType

jwt-go before 4.0.0-preview1 allows access bypass when aud is empty due to type assertion failure on []string{}.

Reporter	Title	Published	Views	Family All 49
IBM Security Bulletins	Security Bulletin: IBM Security Guardium Insights is affected by JWT-Go vulnerability (CVE-2020-26160)	2 Feb 202216:08	–	ibm
IBM Security Bulletins	Security Bulletin: A jwt-go vulnerability affects IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data (CVE-2020-26160)	12 Jan 202321:59	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities affect IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data	29 Jun 202217:05	–	ibm
IBM Security Bulletins	Security Bulletin: A vulnerability have been identified in jwt-go shipped with IBM Netcool Operations Insight Event Integrations Operator (CVE-2020-26160)	14 Dec 202002:44	–	ibm
IBM Security Bulletins	Security Bulletin: Open Source Dependency Vulnerability	15 May 202318:49	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple vulnerabilities in go.etcd.io/etcd package affects IBM Watson Machine Learning Accelerator on Cloud Pak for Data	6 Dec 202316:17	–	ibm
IBM Security Bulletins	Security Bulletin: IBM CICS TX Advanced is vulnerable to multiple vulnerabilities in Kubernetes.	14 Feb 202321:04	–	ibm
IBM Security Bulletins	Security Bulletin: IBM CICS TX Standard is vulnerable to multiple vulnerabilities in Kubernetes.	14 Feb 202321:14	–	ibm
IBM Security Bulletins	Security Bulletin: Open Source Dependency Vulnerability	15 May 202318:36	–	ibm
AlpineLinux	CVE-2020-26160	30 Sep 202012:57	–	alpinelinux