zzzming commented on issue #675:
URL:
https://github.com/apache/pulsar-client-go/issues/675#issuecomment-1015574178
This has been picked up this CVE with high severity.
CVE-2020-26160
high severity
Vulnerable versions: <= 3.2.0
Patched version: No fix
jwt-go allows attackers to bypass intended access restrictions in situations
with []string{} for m["aud"] (which is allowed by the specification). Because
the type assertion fails, "" is the value of aud. This is a security problem if
the JWT token is presented to a service that lacks its own audience check.
There is no patch available and users of jwt-go are advised to migrate to
golang-jwt at version 3.2.1
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
