Miggo Logo
Miggo Vulnerability Database
CVE-2020-26160

CVE-2020-26160:
Authorization bypass in github.com/dgrijalva/jwt-go

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-26160
GHSA ID
GHSA-w73w-5m7g-f7qc
EPSS Score
0.13749%
CWE
CWE-287
Published
5/18/2021
Updated
5/20/2024
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/dgrijalva/jwt-go/v4go< 4.0.0-preview14.0.0-preview1
github.com/dgrijalva/jwt-gogo>= 0.0.0-20150717181359-44718f8a89b0, <= 3.2.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper type handling in JWT audience validation. The key vulnerable functions are:

  1. MapClaims.VerifyAudience: Directly responsible for unsafe type assertion of 'aud' claim
  2. verifyAud: Implemented the actual audience check logic with string-based comparison Together they failed to handle RFC-compliant array audiences, returning empty string from failed type assertion and passing invalid verification. The commit diff shows these functions were modified to add ClaimStrings type handling, confirming their role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

jwt-*o *llows *tt**k*rs to *yp*ss int*n*** ****ss r*stri*tions in situ*tions wit* `[]strin*{}` *or `m["*u*"]` (w*i** is *llow** *y t** sp**i*i**tion). ****us* t** typ* *ss*rtion **ils, "" is t** v*lu* o* *u*. T*is is * s**urity pro*l*m i* t** JWT tok

Reasoning

T** vuln*r**ility st*ms *rom improp*r typ* **n*lin* in JWT *u*i*n** v*li**tion. T** k*y vuln*r**l* *un*tions *r*: *. M*p*l*ims.V*ri*y*u*i*n**: *ir**tly r*sponsi*l* *or uns*** typ* *ss*rtion o* '*u*' *l*im *. v*ri*y*u*: Impl*m*nt** t** **tu*l *u*i*n**