CVE-2024-51744 (GCVE-0-2024-51744)

Vulnerability from cvelistv5 – Published: 2024-11-04 21:47 – Updated: 2024-11-05 16:11
VLAI
Title
Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt
Summary
golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.
Severity
3.1 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
SSVC
Exploitation: none Automatable: no Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-755 - Improper Handling of Exceptional Conditions
Assigner
References
Impacted products
Vendor Product Version
golang-jwt jwt Affected: < 4.5.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51744",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-05T16:11:29.522504Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-05T16:11:42.243Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "jwt",
          "vendor": "golang-jwt",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \"dangerous\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\"dangerous\" ones first), so that you are not running in the case detailed above."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.1,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-755",
              "description": "CWE-755: Improper Handling of Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-04T21:47:12.170Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r"
        },
        {
          "name": "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c"
        }
      ],
      "source": {
        "advisory": "GHSA-29wx-vh33-7x7r",
        "discovery": "UNKNOWN"
      },
      "title": "Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-51744",
    "datePublished": "2024-11-04T21:47:12.170Z",
    "dateReserved": "2024-10-31T14:12:45.789Z",
    "dateUpdated": "2024-11-05T16:11:42.243Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-51744",
      "date": "2026-06-24",
      "epss": "0.00521",
      "percentile": "0.40135"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \\\"dangerous\\\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\\\"dangerous\\\" ones first), so that you are not running in the case detailed above.\"}, {\"lang\": \"es\", \"value\": \"golang-jwt es una implementaci\\u00f3n de Go de tokens web JSON. La documentaci\\u00f3n poco clara del comportamiento de los errores en `ParseWithClaims` puede llevar a una situaci\\u00f3n en la que los usuarios potencialmente no est\\u00e9n verificando los errores como deber\\u00edan. Especialmente, si un token est\\u00e1 vencido y no es v\\u00e1lido, los errores devueltos por `ParseWithClaims` devuelven ambos c\\u00f3digos de error. Si los usuarios solo verifican `jwt.ErrTokenExpired` usando `error.Is`, ignorar\\u00e1n el `jwt.ErrTokenSignatureInvalid` incorporado y, por lo tanto, potencialmente aceptar\\u00e1n tokens no v\\u00e1lidos. Se ha incorporado una soluci\\u00f3n con la l\\u00f3gica de manejo de errores de la rama `v5` a la rama `v4`. En esta l\\u00f3gica, la funci\\u00f3n `ParseWithClaims` regresar\\u00e1 inmediatamente en situaciones \\\"peligrosas\\\" (por ejemplo, una firma no v\\u00e1lida), lo que limita los errores combinados solo a situaciones en las que la firma es v\\u00e1lida, pero la validaci\\u00f3n posterior fall\\u00f3 (por ejemplo, si la firma es v\\u00e1lida, pero est\\u00e1 vencida Y tiene la audiencia incorrecta). Esta correcci\\u00f3n forma parte de la versi\\u00f3n 4.5.1. Somos conscientes de que esto cambia el comportamiento de una funci\\u00f3n establecida y no es 100 % compatible con versiones anteriores, por lo que actualizar a la versi\\u00f3n 4.5.1 podr\\u00eda da\\u00f1ar el c\\u00f3digo. En caso de que no pueda actualizar a la versi\\u00f3n 4.5.0, aseg\\u00farese de comprobar correctamente todos los errores (primero los \\\"peligrosos\\\"), para que no se encuentre en el caso detallado anteriormente.\"}]",
      "id": "CVE-2024-51744",
      "lastModified": "2024-11-05T16:04:26.053",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\", \"baseScore\": 3.1, \"baseSeverity\": \"LOW\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 1.4}]}",
      "published": "2024-11-04T22:15:03.997",
      "references": "[{\"url\": \"https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r\", \"source\": \"security-advisories@github.com\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-755\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-51744\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-11-04T22:15:03.997\",\"lastModified\":\"2024-11-05T16:04:26.053\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \\\"dangerous\\\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\\\"dangerous\\\" ones first), so that you are not running in the case detailed above.\"},{\"lang\":\"es\",\"value\":\"golang-jwt es una implementaci\u00f3n de Go de tokens web JSON. La documentaci\u00f3n poco clara del comportamiento de los errores en `ParseWithClaims` puede llevar a una situaci\u00f3n en la que los usuarios potencialmente no est\u00e9n verificando los errores como deber\u00edan. Especialmente, si un token est\u00e1 vencido y no es v\u00e1lido, los errores devueltos por `ParseWithClaims` devuelven ambos c\u00f3digos de error. Si los usuarios solo verifican `jwt.ErrTokenExpired` usando `error.Is`, ignorar\u00e1n el `jwt.ErrTokenSignatureInvalid` incorporado y, por lo tanto, potencialmente aceptar\u00e1n tokens no v\u00e1lidos. Se ha incorporado una soluci\u00f3n con la l\u00f3gica de manejo de errores de la rama `v5` a la rama `v4`. En esta l\u00f3gica, la funci\u00f3n `ParseWithClaims` regresar\u00e1 inmediatamente en situaciones \\\"peligrosas\\\" (por ejemplo, una firma no v\u00e1lida), lo que limita los errores combinados solo a situaciones en las que la firma es v\u00e1lida, pero la validaci\u00f3n posterior fall\u00f3 (por ejemplo, si la firma es v\u00e1lida, pero est\u00e1 vencida Y tiene la audiencia incorrecta). Esta correcci\u00f3n forma parte de la versi\u00f3n 4.5.1. Somos conscientes de que esto cambia el comportamiento de una funci\u00f3n establecida y no es 100 % compatible con versiones anteriores, por lo que actualizar a la versi\u00f3n 4.5.1 podr\u00eda da\u00f1ar el c\u00f3digo. En caso de que no pueda actualizar a la versi\u00f3n 4.5.0, aseg\u00farese de comprobar correctamente todos los errores (primero los \\\"peligrosos\\\"), para que no se encuentre en el caso detallado anteriormente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\",\"baseScore\":3.1,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.6,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-755\"}]}],\"references\":[{\"url\":\"https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-51744\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-05T16:11:29.522504Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-05T16:11:37.984Z\"}}], \"cna\": {\"title\": \"Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations in golang-jwt\", \"source\": {\"advisory\": \"GHSA-29wx-vh33-7x7r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 3.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"golang-jwt\", \"product\": \"jwt\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.5.1\"}]}], \"references\": [{\"url\": \"https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r\", \"name\": \"https://github.com/golang-jwt/jwt/security/advisories/GHSA-29wx-vh33-7x7r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c\", \"name\": \"https://github.com/golang-jwt/jwt/commit/7b1c1c00a171c6c79bbdb40e4ce7d197060c1c2c\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in `ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims` return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the `ParseWithClaims` function will immediately return in \\\"dangerous\\\" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors (\\\"dangerous\\\" ones first), so that you are not running in the case detailed above.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-755\", \"description\": \"CWE-755: Improper Handling of Exceptional Conditions\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-11-04T21:47:12.170Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-51744\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-05T16:11:42.243Z\", \"dateReserved\": \"2024-10-31T14:12:45.789Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-11-04T21:47:12.170Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.