jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m[aud] (which is allowed by the specification). Because the type assertion fails, is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.
Weakness
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Jwt-go | Jwt-go_project | * | 3.2.0 (including) |
| Cryostat 2 on RHEL 8 | RedHat | cryostat-20-tech-preview/cryostat-operator-bundle:2.0.0-6.1639085863 | * |
| Cryostat 2 on RHEL 8 | RedHat | cryostat-20-tech-preview/cryostat-rhel8-operator:2.0.0-5 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/client-kn-rhel8:0.19.1-4 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/eventing-apiserver-receive-adapter-rhel8:0.19.2-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/eventing-controller-rhel8:0.19.2-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/eventing-in-memory-channel-controller-rhel8:0.19.2-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8:0.19.2-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/eventing-mtbroker-filter-rhel8:0.19.2-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/eventing-mtbroker-ingress-rhel8:0.19.2-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/eventing-mtchannel-broker-rhel8:0.19.2-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/eventing-mtping-rhel8:0.19.2-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/eventing-storage-version-migration-rhel8:0.19.2-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/eventing-sugar-controller-rhel8:0.19.2-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/eventing-webhook-rhel8:0.19.2-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/ingress-rhel8-operator:1.13.0-6 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/knative-rhel8-operator:1.13.0-6 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/kn-cli-artifacts-rhel8:0.19.1-2 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/kourier-control-rhel8:0.19.0-3 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/serverless-operator-bundle:1.13.0-9 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/serverless-rhel8-operator:1.13.0-6 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/serving-activator-rhel8:0.19.0-5 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/serving-autoscaler-hpa-rhel8:0.19.0-5 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/serving-autoscaler-rhel8:0.19.0-5 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/serving-controller-rhel8:0.19.0-5 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/serving-domain-mapping-rhel8:0.19.0-5 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/serving-domain-mapping-webhook-rhel8:0.19.0-5 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/serving-queue-rhel8:0.19.0-6 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/serving-storage-version-migration-rhel8:0.19.0-5 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/serving-webhook-rhel8:0.19.0-5 | * |
| Openshift Serveless 1.13 | RedHat | openshift-serverless-1/svls-must-gather-rhel8:1.13.0-3 | * |
| Red Hat OpenShift Container Platform 4.7 | RedHat | openshift4/ose-azure-machine-controllers:v4.7.0-202102130115.p0 | * |
| Red Hat OpenShift Container Platform 4.8 | RedHat | openshift4/ose-baremetal-installer-rhel8:v4.8.0-202106291913.p0.git.a5ddd2d.assembly.stream | * |
| Red Hat OpenShift Container Platform 4.8 | RedHat | openshift4/ose-etcd:v4.8.0-202106152230.p0.git.aefa6bf.assembly.stream | * |
| Red Hat OpenShift Container Storage 4.7.0 on RHEL-8 | RedHat | ocs4/mcg-rhel8-operator:5.7.0-69.85e2026.5.7 | * |
| Red Hat OpenShift Container Storage 4.7.0 on RHEL-8 | RedHat | mcg-0:5.7.0-69.85e2026.5.7.el8 | * |
| Golang-github-coreos-discovery-etcd-io | Ubuntu | focal | * |
| Golang-github-coreos-discovery-etcd-io | Ubuntu | groovy | * |
| Golang-github-coreos-discovery-etcd-io | Ubuntu | hirsute | * |
| Golang-github-coreos-discovery-etcd-io | Ubuntu | impish | * |
| Golang-github-coreos-discovery-etcd-io | Ubuntu | kinetic | * |
| Golang-github-coreos-discovery-etcd-io | Ubuntu | lunar | * |
| Golang-github-coreos-discovery-etcd-io | Ubuntu | mantic | * |
| Golang-github-coreos-discovery-etcd-io | Ubuntu | oracular | * |
| Golang-github-coreos-discovery-etcd-io | Ubuntu | plucky | * |
| Golang-github-coreos-discovery-etcd-io | Ubuntu | trusty | * |
| Golang-github-dgrijalva-jwt-go | Ubuntu | bionic | * |
| Golang-github-dgrijalva-jwt-go | Ubuntu | focal | * |
| Golang-github-dgrijalva-jwt-go | Ubuntu | groovy | * |
| Golang-github-dgrijalva-jwt-go | Ubuntu | trusty | * |
| Golang-github-dgrijalva-jwt-go | Ubuntu | xenial | * |
| Juju-core | Ubuntu | trusty | * |
| Telegraf | Ubuntu | groovy | * |
| Telegraf | Ubuntu | hirsute | * |
| Telegraf | Ubuntu | impish | * |
| Telegraf | Ubuntu | kinetic | * |
| Telegraf | Ubuntu | lunar | * |
| Telegraf | Ubuntu | mantic | * |
| Telegraf | Ubuntu | trusty | * |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/114.html
- https://cwe.mitre.org/data/definitions/115.html
- https://cwe.mitre.org/data/definitions/151.html
- https://cwe.mitre.org/data/definitions/194.html
- https://cwe.mitre.org/data/definitions/22.html
- https://cwe.mitre.org/data/definitions/57.html
- https://cwe.mitre.org/data/definitions/593.html
- https://cwe.mitre.org/data/definitions/633.html
- https://cwe.mitre.org/data/definitions/650.html
- https://cwe.mitre.org/data/definitions/94.html