You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Oct 23, 2023. It is now read-only.
github.com/go-kit/kit v0.10.0 internally uses older version of jwt library [github.com/dgrijalva/[email protected]+incompatible].
github.com/go-kit/kit v0.12.0 is upgraded to use community jwt library [github.com/golang-jwt/jwt v3.2.1]
problem with dgrijalva/jwt-go:
dgrijalva/jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1
The text was updated successfully, but these errors were encountered:
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
github.com/go-kit/kit v0.10.0 internally uses older version of jwt library [github.com/dgrijalva/[email protected]+incompatible].
github.com/go-kit/kit v0.12.0 is upgraded to use community jwt library [github.com/golang-jwt/jwt v3.2.1]
problem with dgrijalva/jwt-go:
dgrijalva/jwt-go allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1
The text was updated successfully, but these errors were encountered: