Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
jwt-go allows excessive memory allocation during header parsing
Vulnerability Description
golang-jwt is a Go implementation of JSON Web Tokens. Starting in version 3.2.0 and prior to versions 5.2.2 and 4.5.2, the function parse.ParseUnverified splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request whose Authorization header consists of Bearer followed by many period characters, a call to that function incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This issue is fixed in 5.2.2 and 4.5.2.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
不对称的资源消耗(放大攻击)
Vulnerability Title
jwt-go 安全漏洞
Vulnerability Description
jwt-go是golang-jwt开源的一个Go语言的JWT实现。 jwt-go 5.2.2之前版本和4.5.2之前版本存在安全漏洞,该漏洞源于parse.ParseUnverified函数在处理恶意请求时可能导致内存分配问题。
CVSS Information
N/A
Vulnerability Type
N/A