Fluid Attacks Database

Description

Integer Overflow in go-jose go-jose before 1.0.5 suffers from a CBC-HMAC integer overflow on 32-bit architectures. An integer overflow could lead to authentication bypass for CBC-HMAC encrypted ciphertexts on 32-bit architectures.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/square/go-jose	>=0 <1.0.5	1.0.5
debian 13	golang-gopkg-square-go-jose.v1	>=0 <1.0.5-1	1.0.5-1
debian 14	golang-gopkg-square-go-jose.v1	>=0 <1.0.5-1	1.0.5-1
debian 11	golang-gopkg-square-go-jose.v1	>=0 <1.0.5-1	1.0.5-1
debian 12	golang-gopkg-square-go-jose.v1	>=0 <1.0.5-1	1.0.5-1

Aliases

1. CVE-2016-91232. NVD-2016-91233. OSV-2016-91234. OSV-DEBIAN-2016-91235. GCVE-2016-91236. SECURITY-TRACKER-CVE-2016-9123

References

1. https://github.com/square/go-jose/commit/789a4c4bd4c118f7564954f441b29c153ccd6a962. https://hackerone.com/reports/1651703. https://pkg.go.dev/vuln/GO-2020-00094. https://www.openwall.com/lists/oss-security/2016/11/03/1