7.5

CVE-2016-9122

EPSS 0.31%
Veröffentlicht 28.03.2017 02:59:00
Zuletzt bearbeitet 20.04.2025 01:37:25
Quelle support@hackerone.com
CVE-Watchlists
Login
Unerledigt
Login

go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Go-jose Project ≫ Go-jose Version <= 1.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.31%	0.536

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

http://www.openwall.com/lists/oss-security/2016/11/03/1

Patch

Third Party Advisory

Mailing List

https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6

Patch

Third Party Advisory

Issue Tracking

https://hackerone.com/reports/169629

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2016-9122

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2016-9122

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2016-9122

EUVD