GSD-2016-9122
Vulnerability from gsd - Updated: 2023-12-13 01:21Details
go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2016-9122",
"description": "go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.",
"id": "GSD-2016-9122"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2016-9122"
],
"details": "go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.",
"id": "GSD-2016-9122",
"modified": "2023-12-13T01:21:21.765376Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2016-9122",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Go JOSE All versions before 1.0.4",
"version": {
"version_data": [
{
"version_value": "Go JOSE All versions before 1.0.4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cryptographic Issue"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/169629",
"refsource": "MISC",
"url": "https://hackerone.com/reports/169629"
},
{
"name": "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6",
"refsource": "MISC",
"url": "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6"
},
{
"name": "http://www.openwall.com/lists/oss-security/2016/11/03/1",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2016/11/03/1"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=v1.0.3",
"affected_versions": "All versions up to 1.0.3",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-284",
"CWE-937"
],
"date": "2017-03-29",
"description": "The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.",
"fixed_versions": [
"v1.0.4"
],
"identifier": "CVE-2016-9122",
"identifiers": [
"CVE-2016-9122"
],
"not_impacted": "All versions after 1.0.3",
"package_slug": "go/github.com/square/go-jose",
"pubdate": "2017-03-28",
"solution": "Upgrade to version 1.0.4 or above.",
"title": "Improper Access Control",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2016-9122",
"https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6"
],
"uuid": "c483e055-458d-456b-a549-1fec7e53a2d6",
"versions": [
{
"commit": {
"sha": "fab1d40c8d34a15f9302d7cb32e68818be160a4d",
"tags": [
"v1.0.3"
],
"timestamp": "20160808163607"
},
"number": "v1.0.3"
},
{
"commit": {
"sha": "284da622c2915019aa685d28dbd99b1bd1549846",
"tags": [
"v1.0.4"
],
"timestamp": "20160901001325"
},
"number": "v1.0.4"
}
]
},
{
"affected_range": "\u003c1.1.0",
"affected_versions": "All versions before 1.1.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-284",
"CWE-937"
],
"date": "2021-05-18",
"description": "go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.",
"fixed_versions": [
"1.1.0"
],
"identifier": "CVE-2016-9122",
"identifiers": [
"GHSA-77gc-fj98-665h",
"CVE-2016-9122"
],
"not_impacted": "All versions starting from 1.1.0",
"package_slug": "go/gopkg.in/square/go-jose.v1",
"pubdate": "2021-05-18",
"solution": "Upgrade to version 1.1.0 or above.",
"title": "Improper Access Control",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2016-9122",
"https://github.com/square/go-jose/pull/111",
"https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6",
"https://github.com/advisories/GHSA-77gc-fj98-665h"
],
"uuid": "06c49469-b3ad-4eea-a269-e5a95bfb8da5"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:go-jose_project:go-jose:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.0.3",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-assignments@hackerone.com",
"ID": "CVE-2016-9122"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/169629",
"refsource": "MISC",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/169629"
},
{
"name": "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6"
},
{
"name": "http://www.openwall.com/lists/oss-security/2016/11/03/1",
"refsource": "MISC",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2016/11/03/1"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2017-03-29T17:49Z",
"publishedDate": "2017-03-28T02:59Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…