如何绕过 dgrijalva/jwt-go 中的 cve-2020-26160 漏洞?
How to bypass cve-2020-26160 vulnerability in dgrijalva/jwt-go?
由于一个高级漏洞,容器安全状态未通过 Gitlab 管道。此漏洞是 jwt-go,它的安装版本是 v3.2.0+incompatible。错误标题是这样的:jwt-go: access restriction bypass vulnerability-->avd.aquasec.com/nvd/cve-2020-26160。相关 repo 的 Go 版本是 1.16.3。我该如何修复这个漏洞?
CVE-2020-26160 vulnerability is due to the fact that dgrijalva/jwt-go incorrectly models the JWT aud field as a string, when based on the JWT specs应该是一段字符串。
In the general case, the "aud" value is an array of case-sensitive strings
你不能自己绕过它,因为它是库中的一个错误:https://github.com/dgrijalva/jwt-go/issues/428
切换到 official community fork golang-jwt/jwt, its v3.2.1 fixes the vulnerability: https://github.com/golang-jwt/jwt/releases/tag/v3.2.1
- Import Path Change: See MIGRATION_GUIDE.md for tips on updating your code
Changed the import path from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt
- Fixed type confusion issue between string and []string in VerifyAudience (#12). This fixes CVE-2020-26160
github.com/dgrijalva/jwt-go 25 天前解决了这个漏洞,你使用的版本 (v3.2.0) 是 2018 年的,更新到使用该库的最新版本应该可以解决所有的 jwt安全问题
由于一个高级漏洞,容器安全状态未通过 Gitlab 管道。此漏洞是 jwt-go,它的安装版本是 v3.2.0+incompatible。错误标题是这样的:jwt-go: access restriction bypass vulnerability-->avd.aquasec.com/nvd/cve-2020-26160。相关 repo 的 Go 版本是 1.16.3。我该如何修复这个漏洞?
CVE-2020-26160 vulnerability is due to the fact that dgrijalva/jwt-go incorrectly models the JWT aud field as a string, when based on the JWT specs应该是一段字符串。
In the general case, the "aud" value is an array of case-sensitive strings
你不能自己绕过它,因为它是库中的一个错误:https://github.com/dgrijalva/jwt-go/issues/428
切换到 official community fork golang-jwt/jwt, its v3.2.1 fixes the vulnerability: https://github.com/golang-jwt/jwt/releases/tag/v3.2.1
- Import Path Change: See MIGRATION_GUIDE.md for tips on updating your code Changed the import path from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt
- Fixed type confusion issue between string and []string in VerifyAudience (#12). This fixes CVE-2020-26160
github.com/dgrijalva/jwt-go 25 天前解决了这个漏洞,你使用的版本 (v3.2.0) 是 2018 年的,更新到使用该库的最新版本应该可以解决所有的 jwt安全问题