A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false. References: https://github.com/dgrijalva/jwt-go/issues/428 https://github.com/dgrijalva/jwt-go/issues/422 https://snyk.io/vuln/golang:github.com%2Fdgrijalva%2Fjwt-go
External References: https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515
Upstream commit: https://github.com/dgrijalva/jwt-go/pull/429
The github.com/dgrijalva/jwt-go module is an indirect dependency of k8s.io/client-go/plugin/pkg/client/auth/azure package pulled into Quay Bridge, and Setup operators via the Operator's SDK generated code: ./pkg/controller/namespace/namespace_controller.go: "k8s.io/client-go/tools/cache" ./pkg/k8sutils/k8sutils.go: "k8s.io/client-go/kubernetes" The k8s.io/client-go/plugin/pkg/client/auth/azure package sets the aud field to a string when signing a JWT token, not an empty slice, making it currently not vulnerable to this flaw. https://github.com/Azure/go-autorest/blob/master/autorest/adal/token.go#L253 Also, the Quay operators do not pull in the vulnerable Azure plugin package (they only use tools, and kubernetes client-go packages), so even if the Azure/go-autorest module was using jwt-go in an unsafe way, the operators would not be vulnerable.
> Also, the Quay operators do not pull in the vulnerable Azure plugin package > (they only use tools, and kubernetes client-go packages), so even if the > Azure/go-autorest module was using jwt-go in an unsafe way, the operators > would not be vulnerable. This part was not the full story, cmd/manager/main.go also calls the init function of "k8s.io/client-go/plugin/pkg/client/auth" which initialises the Azure go-autorest plugin. Still though, that module does not use jwt-go in an unsafe way.
Statement: The github.com/dgrijalva/jwt-go module is an indirect dependency of the k8s.io/client-go module pulled into Quay Bridge, and Setup operators via the Operator's SDK generated code. The k8s.io/client-go module does not use jwt-go in an unsafe way [1]. Red Hat Quay components have been marked as wontfix. This may be fixed in the future. Similar to Quay, multiple OpenShift Container Platform (OCP) containers include jwt-go as a transient dependency due to go-autorest [1]. As such, those containers do not use jwt-go in an unsafe way. They have been marked wontfix at this time and may be fixed in a future update. Same as Quay and OpenShift Container Platform, components shipped with Red Hat OpenShift Container Storage 4 do not use jwt-go in an unsafe way and hence this issue has been rated as having a security impact of Low. A future update may address this issue. Red Hat Gluster Storage 3 shipped multi-cloud-object-gateway-cli as a technical preview and is not currently planned to be addressed in future updates, hence the multi-cloud-object-gateway-cli package will not be fixed. [1] https://github.com/Azure/go-autorest/issues/568#issuecomment-703804062
This issue has been addressed in the following products: Openshift Serveless 1.13 Via RHSA-2021:0516 https://access.redhat.com/errata/RHSA-2021:0516
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-26160
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2020:5633 https://access.redhat.com/errata/RHSA-2020:5633
This issue has been addressed in the following products: RHEL-8-CNV-2.6 Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.7.0 on RHEL-8 Via RHSA-2021:2041 https://access.redhat.com/errata/RHSA-2021:2041
This issue has been addressed in the following products: Red Hat OpenShift Container Storage 4.7.0 on RHEL-8 Via RHSA-2021:2042 https://access.redhat.com/errata/RHSA-2021:2042
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
This issue has been addressed in the following products: Cryostat 2 on RHEL 8 Via RHSA-2021:5110 https://access.redhat.com/errata/RHSA-2021:5110