Skip to content

Moderate CVE in transitive dependency gopkg.in/square/go-jose.v2 #1328

New issue
New issue
Open
Open
Moderate CVE in transitive dependency gopkg.in/square/go-jose.v2#1328
@frankjkelly

Description

@frankjkelly
frankjkelly
opened on Feb 4, 2025

Behavior

go.sum has a dependency on gopkg.in/square/go-jose.v2 v2.4.1

pulsar-client-go/go.sum

Line 723 in 4e71a47

gopkg.in/square/go-jose.v2 v2.4.1/go.mod h1:M9dMgbHiYLoDGQrXy7OpJDJWiKiU//h+vD76mk0e1AI=

There is an associated CVE https://avd.aquasec.com/nvd/2024/cve-2024-28180/

However that dependency is now archived https://github.com/square/go-jose/tree/master

CVE documentation says This vulnerability has been patched in versions 4.0.1, 3.0.3 and 2.6.3.
but that requires a different path https://github.com/go-jose/go-jose

The dependency seems to come from here

github.com/apache/pulsar-client-go/pulsar
github.com/apache/pulsar-client-go/pulsar/auth
github.com/AthenZ/athenz/libs/go/zmssvctoken
github.com/AthenZ/athenz/libs/go/athenzutils
gopkg.in/square/go-jose.v2/jwt

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions