Skip to content
This repository has been archived by the owner on Apr 22, 2024. It is now read-only.

CVE-2024-21664 #79

Open
sbko opened this issue Mar 6, 2024 · 3 comments
Open

CVE-2024-21664 #79

sbko opened this issue Mar 6, 2024 · 3 comments

Comments

@sbko
Copy link

sbko commented Mar 6, 2024

The latest release is affected by https://nvd.nist.gov/vuln/detail/CVE-2024-21664

CVE-2024-21664 | Anchore CVE | High | github.com/lestrrat-go/jwx-v1.2.28
@nacx
Copy link
Member

nacx commented Mar 6, 2024

Thanks for reporting! According to the linked CVE description:

This vulnerability has been patched in versions 2.0.19 and 1.2.28.

And in version 1.0.1 we're already using 1.2.28:

authservice-go/go.mod

Line 10 in df98bc5

github.com/lestrrat-go/jwx v1.2.28

Shouldn't that version already contain the patch for that CVE?

@nacx nacx mentioned this issue Mar 6, 2024
Merged
@nacx
Copy link
Member

nacx commented Mar 7, 2024

@sbko we've merged #80 that upgrades JWX to v2. Could you check if the latest main branch still reports the CVE?

@sbko
Copy link
Author

sbko commented Mar 7, 2024

@nacx could you cut a release so I can test it in Ironbank?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nacx @sbko