cve-2024-51744
Vulnerability from cvelistv5
Published
2024-11-04 21:47
Modified
2024-11-05 16:11
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Summary
Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt
References
security-advisories@github.comhttps://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c
security-advisories@github.comhttps://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r
Impacted products
golang-jwtjwt
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51744",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-05T16:11:29.522504Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-05T16:11:42.243Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jwt",
          "vendor": "golang-jwt",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-755",
              "description": "CWE-755: Improper Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T21:47:12.170Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r"
        },
        {
          "name": "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c"
        }
      ],
      "source": {
        "advisory": "GHSA-29wx-vh33-7x7r",
        "discovery": "UNKNOWN"
      },
      "title": "Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-51744",
    "datePublished": "2024-11-04T21:47:12.170Z",
    "dateReserved": "2024-10-31T14:12:45.789Z",
    "dateUpdated": "2024-11-05T16:11:42.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-51744\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-04T22:15:03.997\",\"lastModified\":\"2024-11-05T16:04:26.053\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \\\"dangerous\\\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\\\"dangerous\\\" ones first), so that you are not running in the case detailed above.\"},{\"lang\":\"es\",\"value\":\"golang-jwt es una implementaci\u00f3n de Go de tokens web JSON. La documentaci\u00f3n poco clara del comportamiento de los errores en `ParseWithClaims` puede llevar a una situaci\u00f3n en la que los usuarios potencialmente no est\u00e9n verificando los errores como deber\u00edan. Especialmente, si un token est\u00e1 vencido y no es v\u00e1lido, los errores devueltos por `ParseWithClaims` devuelven ambos c\u00f3digos de error. Si los usuarios solo verifican `jwt.ErrTokenExpired` usando `error.Is`, ignorar\u00e1n el `jwt.ErrTokenSignatureInvalid` incorporado y, por lo tanto, potencialmente aceptar\u00e1n tokens no v\u00e1lidos. Se ha incorporado una soluci\u00f3n con la l\u00f3gica de manejo de errores de la rama `v5` a la rama `v4`. En esta l\u00f3gica, la funci\u00f3n `ParseWithClaims` regresar\u00e1 inmediatamente en situaciones \\\"peligrosas\\\" (por ejemplo, una firma no v\u00e1lida), lo que limita los errores combinados solo a situaciones en las que la firma es v\u00e1lida, pero la validaci\u00f3n posterior fall\u00f3 (por ejemplo, si la firma es v\u00e1lida, pero est\u00e1 vencida Y tiene la audiencia incorrecta). Esta correcci\u00f3n forma parte de la versi\u00f3n 4.5.1. Somos conscientes de que esto cambia el comportamiento de una funci\u00f3n establecida y no es 100 % compatible con versiones anteriores, por lo que actualizar a la versi\u00f3n 4.5.1 podr\u00eda da\u00f1ar el c\u00f3digo. En caso de que no pueda actualizar a la versi\u00f3n 4.5.0, aseg\u00farese de comprobar correctamente todos los errores (primero los \\\"peligrosos\\\"), para que no se encuentre en el caso detallado anteriormente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-755\"}]}],\"references\":[{\"url\":\"https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.