Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2016-9122

Good to know:

icon

Date: March 27, 2017

go-jose before 1.0.4 suffers from multiple signatures exploitation. The go-jose library supports messages with multiple signatures. However, when validating a signed message the API did not indicate which signature was valid, which could potentially lead to confusion. For example, users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

Language: Go

Severity Score

Related Resources (10)

https://www.openwall.com/lists/oss-security/2016/11/03/1
https://github.com/square/go-jose
https://hackerone.com/reports/169629
https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a96
https://nvd.nist.gov/vuln/detail/CVE-2016-9122
https://github.com/square/go-jose/commit/2c5656adca9909843c4ff50acf1d2cf8f32da7e6
http://www.openwall.com/lists/oss-security/2016/11/03/1
https://github.com/square/go-jose/commit/c7581939a3656bb65e89d64da0a52364a33d2507
https://github.com/square/go-jose/pull/111
https://www.mend.io/vulnerability-database/CVE-2016-9122

Severity Score

Weakness Type (CWE)

Improper Access Control

CWE-284

Top Fix

icon

Upgrade Version

Upgrade to version v1.1.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): NONE
Integrity (I): HIGH
Availability (A): NONE

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): NONE
Confidentiality (C): NONE
Integrity (I): PARTIAL
Availability (A): NONE
Additional information:

Do you need more information?

Contact Us