Question 1

Is there a bug in github.com/dgrijalva/jwt-go 0.0.0-20150717181359-44718f8a89b0?

Accepted Answer

Authorization bypass in github.com/dgrijalva/jwt-go jwt-go allows attackers to bypass intended access restrictions in situations with `[]string{}` for `m["aud"]` (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to [golang-jwt](https://github.com/golang-jwt/jwt) at version 3.2.1

Question 2

Is there a bug in github.com/dgrijalva/jwt-go 0.0.0-20150717181359-44718f8a89b0?

Accepted Answer

Authorization bypass in github.com/dgrijalva/jwt-go If a JWT contains an audience claim with an array of strings, rather than a single string, and MapClaims.VerifyAudience is called with req set to false, then audience verification will be bypassed, allowing an invalid set of audiences to be provided.

Severity	Affected	Fixed in	Title	Status	Source
high	0.0.0-20150717181359-44718f8a89b0	\u2014	Authorization bypass in github.com/dgrijalva/jwt-go jwt-go allows attackers to bypass intended access restrictions in situations with `[]string{}` for `m["aud"]` (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to [golang-jwt](https://github.com/golang-jwt/jwt) at version 3.2.1	open	osv:GHSA-w73w-5m7g-f7qc

github.com/dgrijalva/jwt-go known bugs

Known bugs

API access