#VU50809 Improper Authentication in jwt-go - CVE-2020-26160

Cybersecurity Help s.r.o.

Published: 2021-02-18

Vulnerability identifier: #VU50809

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2020-26160

CWE-ID: CWE-287

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
jwt-go
Web applications / Other software

Vendor: Dave Grijalva

Description

The vulnerability allows a remote attacker to bypass authentication process.

The vulnerability exists due to improper validation when processing data passed via m["aud"]. A remote attacker can pass the []string{} string, which is allowed by the specification, however treated as an empty string and bypass authentication checks.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

jwt-go: 1.0.0 - 3.2.0

External links
https://github.com/dgrijalva/jwt-go/pull/426
https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
https://github.com/dgrijalva/jwt-go/issues/422

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Improper Authentication in wal-g

Multiple vulnerabilities in IBM Watson Machine Learning Accelerator on Cloud Pak for Data

Multiple vulnerabilities in IBM Edge Application Manager

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data update for jwt-go

Authentication bypass in IBM Security Guardium Insights

OpenShift Serverless update for jwt-go

Authentication bypass in jwt-go