<p>Upgrade <code>gopkg.in/square/go-jose.v1</code> to version 1.0.4 or higher.</p>

go-jose.v1 package, versions <1.0.4

Snyk CVSS

Attack Complexity Low

Confidentiality High

Integrity High

Threat Intelligence

EPSS 0.17% (55^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-GOLANG-GOPKGINSQUAREGOJOSEV1-50003
published 16 Feb 2017
disclosed 16 Feb 2017
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 16 Feb 2017

CVE-2016-9121 Open this link in a new tab CWE-200 Open this link in a new tab

How to fix?

Upgrade gopkg.in/square/go-jose.v1 to version 1.0.4 or higher.

Overview

gopkg.in/square/go-jose.v1 is a Package that aims to provide an implementation of the Javascript Object Signing and Encryption set of standards.

Affected versions of this package are vulnerable to Elliptic Curve Key Disclosure. It suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the receiver, thus making it vulnerable to an invalid curve attack.