hongbinhsu opened a new pull request #2303: URL: https://github.com/apache/apisix-dashboard/pull/2303
Please answer these questions before submitting a pull request, **or your PR will get closed**. **Why submit this pull request?** - [ ] Bugfix update github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt/v4 v4.2.0 **What changes will this PR take into?** Old github.com/dgrijalva/jwt-go package Not updated in 2 years, versions <4.0.0-preview1 have Access Restriction Bypass detail url:https://security.snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 **Related issues** fix #2302 **Checklist:** 1、 go mod tidy 2、debug main.go 3、check /apisix/admin/user/login generate jwt use other api pass 4、The full findings were as follows. `{ "code": 0, "message": "", "data": { "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImV4cCI6MTY0NDA3ODg2MSwiaWF0IjoxNjQ0MDc1MjYxfQ.c6VYx3tvrFfg-BcPyQJpN_nU0omsImxb88utv_EH614" }, "request_id": "5a4ea7f5-e158-4567-b372-096d36802551" }` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
