How to bypass cve-2020-26160 vulnerability in dgrijalva/jwt-go?

Question

Container Security state does not pass in Gitlab pipeline because of one high level vulnerability. This vulnerability is jwt-go and it's installed version is v3.2.0+incompatible. The error title like this: jwt-go: access restriction bypass vulnerability-->avd.aquasec.com/nvd/cve-2020-26160. The Go version of the relevant repo is 1.16.3. How can I fix this vulnerability?

Answer 1

The CVE-2020-26160 vulnerability is due to the fact that dgrijalva/jwt-go incorrectly models the JWT aud field as a string, when based on the JWT specs it should be a slice of strings.

In the general case, the "aud" value is an array of case-sensitive strings

You can't bypass it yourself, because it's a bug in the library: https://github.com/dgrijalva/jwt-go/issues/428

Switch to the official community fork golang-jwt/jwt, its v3.2.1 fixes the vulnerability: https://github.com/golang-jwt/jwt/releases/tag/v3.2.1

• Import Path Change: See MIGRATION_GUIDE.md for tips on updating your code Changed the import path from github.com/dgrijalva/jwt-go to github.com/golang-jwt/jwt
• Fixed type confusion issue between string and []string in VerifyAudience (#12). This fixes CVE-2020-26160

Answer 2

github.com/dgrijalva/jwt-go solved this vurnability 25 days ago, the version you use (v3.2.0) is from 2018, updating to use the latest version of that library should solve all the jwt security problem