Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
JWK Set's HTTP client only overwrites and appends JWK to local cache during refresh
Vulnerability Description
JWK Set (JSON Web Key Set) is a JWK and JWK Set Go implementation. Prior to 0.6.0, the project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. The affected auto-caching HTTP client was added in version v0.5.0 and fixed in v0.6.0. The only workaround would be to remove the provided auto-caching HTTP client and replace it with a custom implementation. This involves setting the HTTPClientStorageOptions.RefreshInterval to zero (or not specifying the value).
CVSS Information
N/A
Vulnerability Type
在过期或释放后对资源进行操作
Vulnerability Title
JWK Set 安全漏洞
Vulnerability Description
JWK Set是Micah Parks个人开发者的一个 JWK 和 JWK-Set 实现。提供了一个自动缓存 JWK-Set HTTP 客户端。 JWK Set 0.6.0之前版本存在安全漏洞,该漏洞源于HTTP客户端在刷新远程JWK集时错误地覆盖或追加本地缓存,而不是进行完整替换,导致对于依赖自动缓存HTTP客户端且视密钥移除为撤销的场景构成安全风险。
CVSS Information
N/A
Vulnerability Type
N/A