How to bypass cve-2020-26160 vulnerability in dgrijalva/jwt-go?

Question

Container Security state does not pass in Gitlab pipeline because of one high level vulnerability. This vulnerability is jwt-go and it's installed version is v3.2.0+incompatible. The error title like this: jwt-go: access restriction bypass vulnerability-->avd.aquasec.com/nvd/cve-2020-26160. The Go version of the relevant repo is 1.16.3. How can I fix this vulnerability?

Answer 1

github.com/dgrijalva/jwt-go solved this vurnability 25 days ago, the version you use (v3.2.0) is from 2018, updating to use the latest version of that library should solve all the jwt security problem

Answer 2

The CVE-2020-26160 vulnerability is due to the fact that dgrijalva/jwt-go incorrectly models the JWT aud field as a string, when based on the JWT specs it should be a slice of strings.

In the general case, the "aud" value is an array of case-sensitive strings

You can't bypass it yourself, because it's a bug in the library: https://github.com/dgrijalva/jwt-go/issues/428

Switch to the official community fork golang-jwt/jwt, its v3.2.1 fixes the vulnerability: https://github.com/golang-jwt/jwt/releases/tag/v3.2.1

• Import Path Change: See MIGRATION_GUIDE.md for tips on updating your code Changed the import path from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt
• Fixed type confusion issue between string and []string in VerifyAudience (#12). This fixes CVE-2020-26160