Overview
About vulnerability
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function’s argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , Grafana , Loki , TuxCare 9.6 ESU , github.com/Azure/azure-sdk-for-go/sdk/azcore , github.com/Azure/azure-sdk-for-go/sdk/azidentity , github.com/Azure/azure-sdk-for-go/sdk/internal , github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute , github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal , github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/network/armnetwork , github.com/Azure/azure-sdk-for-go/sdk/storage/azblob , github.com/AzureAD/microsoft-authentication-library-for-go , github.com/golang-jwt/jwt , github.com/grafana/e2e , github.com/grafana/grafana-azure-sdk-go , github.com/grafana/grafana/pkg/storage/unified/resource , github.com/grafana/tempo , github.com/microsoft/go-mssqldb , github.com/openfga/openfga , github.com/pressly/goose , github.com/prometheus/prometheus , github.com/thanos-io/objstore , gocloud.dev
- Affected packages:
- file @ 5.33 (+53 more)