Multiple Signatures Exploitation in go-jose Library
CVE-2016-9122

7.5HIGH

Key Information:

Vendor

Go-jose Project

Status
Go Jose All Versions Before 1.0.4
Vendor
CVE Published:
28 March 2017

What is CVE-2016-9122?

The go-jose library, prior to version 1.0.4, is susceptible to multiple signatures exploitation due to improper handling of signature validation. Users might be misled about which signature from a signed message is valid, as the API does not clearly indicate the validated signature. This flaw could result in users unintentionally leveraging protected header values from non-original signatures, leading to potential security risks within applications utilizing the library.

Affected Version(s)

Go JOSE All before 1.0.4 Go JOSE All versions before 1.0.4

References

https://hackerone.com/reports/169629
x_refsource_MISC
https://github.com/square/go-jose/commit/2c5656adca990984...
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2016/11/03/1
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.