You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
jannfis
changed the title
Move away from github,com/dgrijalva/jwt-go as JWT library
Move away from github.com/dgrijalva/jwt-go as JWT library
Jan 5, 2021
OK, so the research was probably wrong. The fix is in another branch - release_4_0_0 - not in master. So we can upgrade to 4.0.0-preview1 instead of to the fork. Also, my initial tests showed that the fork doesn't handle single aud claims in tokens, only two or more.
Summary
The
github.com/dgrijalva/jwt-go
seems to be abandoned and not maintained any more, but contains a security vulnerability marked as high. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160The remediation says to update to 4.0.0-preview1, but from our research, this version does not contain any fix for the specified issue.
There is a fork at
github.com/form3tech-oss/jwt-go
which includes a correct fix. This seems to be the only code change so far: dgrijalva/jwt-go@master...form3tech-oss:masterMotivation
Provide a secure JWT implementation within Argo CD.
Proposal
github.com/dgrijalva/jwt-go
that provides a correct fix for the issueThe text was updated successfully, but these errors were encountered: