AZL-41684

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-41684.json

JSON Data

https://api.test.osv.dev/v1/vulns/AZL-41684

Upstream

CVE-2020-26160

Published

2020-09-30T18:15:27Z

Modified

2026-04-01T05:14:23.359096Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

CVE-2020-26160 affecting package dcos-cli for versions less than 1.2.0-15

Details

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

References

https://nvd.nist.gov/vuln/detail/CVE-2020-26160

Affected packages

Azure Linux:3 / dcos-cli

Package

Name: dcos-cli
Purl: pkg:rpm/azure-linux/dcos-cli

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.0-15

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-41684.json"