CVE-2016-9122
N/A
N/A
Summary
go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | Go JOSE All versions before 1.0.4 | Go JOSE All versions before 1.0.4 | affected |
Weaknesses
- Cryptographic Issue
ADP Enrichment
CVE Program Container
Additional References
- https://hackerone.com/reports/169629
- https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
- http://www.openwall.com/lists/oss-security/2016/11/03/1
References
- https://hackerone.com/reports/169629
- https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
- http://www.openwall.com/lists/oss-security/2016/11/03/1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.