Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: upgrade to golang-jwt 3.2.1 to fix CVE-2020-26160 #21925

Merged
merged 1 commit into from
Jul 23, 2021

Conversation

jdstrand
Copy link
Contributor

@jdstrand jdstrand commented Jul 22, 2021

CVE-2020-26160[0] is an access restriction bypass under certain
circumstances when validating audience checks. The original
dgrijalva/jwt-go project is no longer maintained[1] and will not be
issuing a fix for this CVE[2]. Instead, they have transferred ownership
to golang-jwt/jwt[2][3][4].

The following was performed:

  1. update chronograf and jsonweb to import golang-jwt/jwt
  2. go mod edit -require github.com/golang-jwt/jwt@v3.2.1+incompatible
  3. go mod edit -droprequire github.com/dgrijalva/jwt-go
  4. go mod tidy
  5. make
  6. make test

Note: 1.x is not affected since 1.8.4rc and 1.9.0rc pulled in a prerelease version of dgrijalva/jwt-go v4 that had the fix. We should move 1.x to golang-jwt/jwt, but that s for future maintenance and not a security fix.

References:
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160
[1] dgrijalva/jwt-go#462
[2] dgrijalva/jwt-go#463
[3] https://github.com/dgrijalva/jwt-go/blob/master/README.md
[4] https://github.com/golang-jwt/jwt

CVE-2020-26160[0] is an access restriction bypass under certain
circumstances when validating audience checks. The original
dgrijalva/jwt-go project is no longer maintained[1] and will not be
issuing a fix for this CVE[2]. Instead, they have transferred ownership
to golang-jwt/jwt[2][3][4].

The following was performed:

1. update chronograf and jsonweb to import golang-jwt/jwt
2. go mod edit -require github.com/golang-jwt/jwt@v3.2.1+incompatible
3. go mod edit -droprequire github.com/dgrijalva/jwt-go
4. go mod tidy
5. make
6. make test

References:
[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26160
[1] dgrijalva/jwt-go#462
[2] dgrijalva/jwt-go#463
[3] https://github.com/dgrijalva/jwt-go/blob/master/README.md
[4] https://github.com/golang-jwt/jwt
Copy link
Contributor

@williamhbaker williamhbaker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@jdstrand jdstrand merged commit bf5965d into influxdata:master Jul 23, 2021
@jdstrand
Copy link
Contributor Author

Thanks for the review!

@jdstrand jdstrand deleted the jdstrand/update-jwt-go branch July 26, 2021 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants