CVE-2020-26160 on jwt-go flagged by scanners

Question

helioloureiro opened this issue 3 years ago · 2 comments

Hi,

Our scanners flagged the jwt-go vulnerability in file autorest/adal/token.go.

It is using a unmaintained jwt-go.

It should be using github.com/dgrijalva/jwt-go instead, where the fix is already delivered.

./helio

Answer 1 · 2021-08-23T16:24:52.000Z

The module you cited is no longer maintained, the correct fork is github.com/golang-jwt/jwt.

Answer 2 · 2021-08-23T16:28:39.000Z

That came from the CVE itself.