Vulnerability Report: GO-2022-0945

CVE-2016-9122, GHSA-77gc-fj98-665h
Affects: gopkg.in/square/go-jose.v1
Published: Aug 22, 2022
Modified: May 20, 2024

The go-jose library suffers from multiple signatures exploitation. When validating a signed message, the API did not indicate which signature was valid, which creates the potential for confusion.

For detailed information about this vulnerability, visit https://www.openwall.com/lists/oss-security/2016/11/03/1.

Affected Packages

Path

Go Versions

Symbols
gopkg.in/square/go-jose.v1

before v1.1.0
gopkg.in/square/go-jose.v1/cipher

before v1.1.0
- DeriveECDHES
- NewConcatKDF

Aliases

CVE-2016-9122
GHSA-77gc-fj98-665h

References

https://www.openwall.com/lists/oss-security/2016/11/03/1
https://github.com/square/go-jose/pull/111
https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
https://vuln.go.dev/ID/GO-2022-0945.json

Credits

Quan Nguyen from Google's Information Security Engineering Team

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL