Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.1 [security] (release-v0.17) #1247

Open
wants to merge 1 commit into
base: release-v0.17
Choose a base branch
from
Open

chore(deps): update module github.com/golang-jwt/jwt/v4 to v4.5.1 [security] (release-v0.17) #1247

wants to merge 1 commit into from

Conversation

redhat-renovate-bot
Copy link
Collaborator

@redhat-renovate-bot redhat-renovate-bot commented Jan 28, 2025
edited
Loading

This PR contains the following updates:

Package Type Update Change
github.com/golang-jwt/jwt/v4 indirect minor v4.2.0 -> v4.5.1

Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt

CVE-2024-51744 / GHSA-29wx-vh33-7x7r / GO-2024-3250

More information

Details

Improper error handling in ParseWithClaims and bad documentation may cause dangerous situations in github.com/golang-jwt/jwt

Severity

Unknown

References

This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0).

Bad documentation of error handling in ParseWithClaims can lead to potentially dangerous situations

CVE-2024-51744 / GHSA-29wx-vh33-7x7r / GO-2024-3250

More information

Details

Summary

Unclear documentation of the error behavior in ParseWithClaims can lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

Fix

We have back-ported the error handling logic from the v5 branch to the v4 branch. In this logic, the ParseWithClaims function will immediately return in "dangerous" situations (e.g., an invalid signature), limiting the combined errors only to situations where the signature is valid, but further validation failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of the 4.5.1 release.

Workaround

We are aware that this changes the behaviour of an established function and is not 100 % backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0, please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are not running in the case detailed above.

token, err := /* jwt.Parse or similar */
if token.Valid {
	fmt.Println("You look nice today")
} else if errors.Is(err, jwt.ErrTokenMalformed) {
	fmt.Println("That's not even a token")
} else if errors.Is(err, jwt.ErrTokenUnverifiable) {
	fmt.Println("We could not verify this token")
} else if errors.Is(err, jwt.ErrTokenSignatureInvalid) {
	fmt.Println("This token has an invalid signature")
} else if errors.Is(err, jwt.ErrTokenExpired) || errors.Is(err, jwt.ErrTokenNotValidYet) {
	// Token is either expired or not active yet
	fmt.Println("Timing is everything")
} else {
	fmt.Println("Couldn't handle this token:", err)
}

Severity

  • CVSS Score: 3.1 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

golang-jwt/jwt (github.com/golang-jwt/jwt/v4)

v4.5.1

Compare Source

Security

Unclear documentation of the error behavior in ParseWithClaims in <= 4.5.0 could lead to situation where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens.

This issue was documented in GHSA-29wx-vh33-7x7r and fixed in this release.

Note: v5 was not affected by this issue. So upgrading to this release version is also recommended.

What's Changed

  • Back-ported error-handling logic in ParseWithClaims from v5 branch. This fixes GHSA-29wx-vh33-7x7r.

Full Changelog: golang-jwt/jwt@v4.5.0...v4.5.1

v4.5.0

Compare Source

What's Changed

Full Changelog: golang-jwt/jwt@v4.4.3...v4.5.0

v4.4.3

Compare Source

What's Changed

New Contributors

Full Changelog: golang-jwt/jwt@v4.4.2...v4.4.3

v4.4.2

Compare Source

What's Changed

New Contributors

Full Changelog: golang-jwt/jwt@v4.4.1...v4.4.2

v4.4.1

Compare Source

What's Changed

Note, this release contains a Go module retraction for a prior release v4.4.0:

retract (
    v4.4.0 // Contains a backwards incompatible change to the Claims interface.
)

Full Changelog: golang-jwt/jwt@v4.4.0...v4.4.1

v4.4.0

Compare Source

What's Changed

New Contributors

Full Changelog: golang-jwt/jwt@v4.3.0...v4.4.0

v4.3.0

Compare Source

What's Changed

New Contributors

Full Changelog: golang-jwt/jwt@v4.2.0...v4.3.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@redhat-renovate-bot redhat-renovate-bot added the release-note-none Denotes a PR that doesn't merit a release note. label Jan 28, 2025
@kubevirt-bot kubevirt-bot added the dco-signoff: yes Indicates the PR's author has DCO signed all their commits. label Jan 28, 2025
@akrejcir
Copy link
Collaborator

/approve

@kubevirt-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: akrejcir

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubevirt-bot kubevirt-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 28, 2025
@ksimon1
Copy link
Member

ksimon1 commented Jan 29, 2025

/retest
/lgtm

@kubevirt-bot kubevirt-bot added lgtm Indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Jan 29, 2025
@redhat-renovate-bot redhat-renovate-bot force-pushed the renovate/release-v0.17-go-github.com-golang-jwt-jwt-v4-vulnerability branch from 0d93d15 to f83498b Compare January 29, 2025 11:14
@kubevirt-bot kubevirt-bot removed the lgtm Indicates that a PR is ready to be merged. label Jan 29, 2025
@kubevirt-bot
Copy link
Contributor

New changes are detected. LGTM label has been removed.

@kubevirt-bot kubevirt-bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jan 29, 2025
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Failed Quality Gate failed

Failed conditions
2 Security Hotspots
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jan 29, 2025

@redhat-renovate-bot: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-single-node-functests f83498b link true /test e2e-single-node-functests
ci/prow/e2e-upgrade-functests f83498b link true /test e2e-upgrade-functests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akrejcir akrejcir Awaiting requested review from akrejcir

@lyarwood lyarwood Awaiting requested review from lyarwood

Assignees

@ksimon1 ksimon1

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. dco-signoff: yes Indicates the PR's author has DCO signed all their commits. release-note-none Denotes a PR that doesn't merit a release note. size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@redhat-renovate-bot @akrejcir @kubevirt-bot @ksimon1