jwt-go allows attackers to bypass intended access restrictions in situations with []string{}
for m["aud"]
(which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check. There is no patch available and users of jwt-go are advised to migrate to golang-jwt at version 3.2.1
Improper Access Control
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in