Skip to content

x/vulndb: potential Go vuln in github.com/MicahParks/jwkset: GHSA-675f-rq2r-jw82 #3376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue Jan 9, 2025 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/MicahParks/jwkset: GHSA-675f-rq2r-jw82 #3376

GoVulnBot opened this issue Jan 9, 2025 · 1 comment
Labels
triaged

Comments

@GoVulnBot
Copy link

Advisory GHSA-675f-rq2r-jw82 references a vulnerability in the following Go modules:

Module
github.com/MicahParks/jwkset

Description:

Impact

The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation.

Example attack scenario:

  1. An attacker has stolen the private key for a key published in JWK Set.
  2. The publishers of that JWK Set remove that key from the JWK Set.
  3. Enough time has passed that the program using the auto-caching HTTP client foun...

References:

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/MicahParks/jwkset
      non_go_versions:
        - introduced: TODO (earliest fixed "0.6.0", vuln range ">= 0.5.0, <= 0.5.21")
      vulnerable_at: 0.6.0
summary: |-
    JWK Set's HTTP client only overwrites and appends JWK to local cache during
    refresh in github.com/MicahParks/jwkset
cves:
    - CVE-2025-22149
ghsas:
    - GHSA-675f-rq2r-jw82
references:
    - advisory: https://github.com/MicahParks/jwkset/security/advisories/GHSA-675f-rq2r-jw82
    - advisory: https://github.com/advisories/GHSA-675f-rq2r-jw82
    - fix: https://github.com/MicahParks/jwkset/pull/41
    - report: https://github.com/MicahParks/jwkset/issues/40
source:
    id: GHSA-675f-rq2r-jw82
    created: 2025-01-09T18:01:19.660427264Z
review_status: UNREVIEWED
@tatianab tatianab mentioned this issue Jan 9, 2025
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/641815 mentions this issue: data/reports: add 3 unreviewed reports

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tatianab @gopherbot @GoVulnBot