VDB
RHSA-2021%3A0516
RHSA-2021%3A0516
PUBLISHED
CVSS 7.5 HIGH
A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.
Risk Scores
CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | openshift-serverless-1/serving-autoscaler-rhel8@sha256:c37136608b097737386b718612888a251802724920e3bf9a7479134e42d700d3_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/serving-autoscaler-rhel8@sha256:c37136608b097737386b718612888a251802724920e3bf9a7479134e42d700d3_amd64 |
| Red Hat | openshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8@sha256:52c42f00cf55d04f88d8d7ad38850963ca5d936d9f7e613d5227529263a97058_amd64 as a component of Openshift Serverless 1.13 | *, * |
| Red Hat | openshift-serverless-1/client-kn-rhel8@sha256:5757f011df96a72d84afaf4175242ce5dc8e5e7361475f52a99aef7fdd579257_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/client-kn-rhel8@sha256:5757f011df96a72d84afaf4175242ce5dc8e5e7361475f52a99aef7fdd579257_amd64 |
| Red Hat | openshift-serverless-1/serving-webhook-rhel8@sha256:c2b79facda8ba1e3a64ca15778be000565753bfffe3664b19015142de8bb06a5_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/serving-webhook-rhel8@sha256:c2b79facda8ba1e3a64ca15778be000565753bfffe3664b19015142de8bb06a5_amd64 |
| Red Hat | openshift-serverless-1/svls-must-gather-rhel8@sha256:ee874a46331e87a13c3cb3ec6fafde50bf3ccd228484c27e00a817ba9ba7f213_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/svls-must-gather-rhel8@sha256:ee874a46331e87a13c3cb3ec6fafde50bf3ccd228484c27e00a817ba9ba7f213_amd64 |
| Red Hat | openshift-serverless-1/serving-autoscaler-hpa-rhel8@sha256:1b99069921f432115c1bb85b5776bf57044a1b7a06a7d943ac8800482f7469ea_amd64 as a component of Openshift Serverless 1.13 | *, openshift-serverless-1/serving-autoscaler-hpa-rhel8@sha256:1b99069921f432115c1bb85b5776bf57044a1b7a06a7d943ac8800482f7469ea_amd64 |
| Red Hat | openshift-serverless-1/serving-storage-version-migration-rhel8@sha256:59eebf739c6047e991cbf8dfbf80db5430adc4390c477ef848293bbed00e7620_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/serving-storage-version-migration-rhel8@sha256:59eebf739c6047e991cbf8dfbf80db5430adc4390c477ef848293bbed00e7620_amd64, * |
| Red Hat | openshift-serverless-1/kn-cli-artifacts-rhel8@sha256:5be1792a2e8a31f851a869a3244dc2de0494af366f9ad44b44183aad09d50463_amd64 as a component of Openshift Serverless 1.13 | *, openshift-serverless-1/kn-cli-artifacts-rhel8@sha256:5be1792a2e8a31f851a869a3244dc2de0494af366f9ad44b44183aad09d50463_amd64 |
| Red Hat | openshift-serverless-1/eventing-sugar-controller-rhel8@sha256:01cabe0adf0fd2c010f6103d861d5e71985de76fdaa021759265f117327013b8_amd64 as a component of Openshift Serverless 1.13 | *, openshift-serverless-1/eventing-sugar-controller-rhel8@sha256:01cabe0adf0fd2c010f6103d861d5e71985de76fdaa021759265f117327013b8_amd64 |
| Red Hat | openshift-serverless-1/eventing-mtchannel-broker-rhel8@sha256:ceae3dc5b4798c903d342a8aadf45cbfd13cab61588567bb03edda6b65094e21_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/eventing-mtchannel-broker-rhel8@sha256:ceae3dc5b4798c903d342a8aadf45cbfd13cab61588567bb03edda6b65094e21_amd64 |
| Red Hat | openshift-serverless-1/eventing-mtbroker-ingress-rhel8@sha256:b9f1f6bbea679d1a1bff74f872412a10fe576d7f619418a7688be3d78ac36f16_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/eventing-mtbroker-ingress-rhel8@sha256:b9f1f6bbea679d1a1bff74f872412a10fe576d7f619418a7688be3d78ac36f16_amd64, * |
| Red Hat | openshift-serverless-1/serving-domain-mapping-webhook-rhel8@sha256:8767e3b4d07298246b6d8b705c3c9e63142773de0135e032ce0b8b3ee2fde64b_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/serving-domain-mapping-webhook-rhel8@sha256:8767e3b4d07298246b6d8b705c3c9e63142773de0135e032ce0b8b3ee2fde64b_amd64 |
| Red Hat | openshift-serverless-1/serverless-operator-bundle@sha256:f51bf79d93c571064a8038cd7ab40ced67ab87d5e0063afe3dda47935cb1eda6_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/serverless-operator-bundle@sha256:f51bf79d93c571064a8038cd7ab40ced67ab87d5e0063afe3dda47935cb1eda6_amd64 |
| Red Hat | openshift-serverless-1/serving-activator-rhel8@sha256:282d41e5163cc0682295d73aecafef36c23bedb0d436446e3acce936a8b0f8c6_amd64 as a component of Openshift Serverless 1.13 | *, openshift-serverless-1/serving-activator-rhel8@sha256:282d41e5163cc0682295d73aecafef36c23bedb0d436446e3acce936a8b0f8c6_amd64 |
| Red Hat | openshift-serverless-1/serving-domain-mapping-webhook-rhel8@sha256:8767e3b4d07298246b6d8b705c3c9e63142773de0135e032ce0b8b3ee2fde64b_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/serving-domain-mapping-webhook-rhel8@sha256:8767e3b4d07298246b6d8b705c3c9e63142773de0135e032ce0b8b3ee2fde64b_amd64, * |
| Red Hat | openshift-serverless-1/knative-rhel8-operator@sha256:e56c32f5ada972006466fb3fd15038634edb5b3f4e63af497c4e1eb0645aec65_amd64 as a component of Openshift Serverless 1.13 | *, openshift-serverless-1/knative-rhel8-operator@sha256:e56c32f5ada972006466fb3fd15038634edb5b3f4e63af497c4e1eb0645aec65_amd64 |
| Red Hat | openshift-serverless-1/eventing-in-memory-channel-controller-rhel8@sha256:641966e98b79e86810ea93068324951cc1802918d1e19f17f51290fd7227475e_amd64 as a component of Openshift Serverless 1.13 | * |
| Red Hat | openshift-serverless-1/serving-controller-rhel8@sha256:467cec1508213c7f4a55ab15633af0870deca1bea076a075157c7869dbc3e5b0_amd64 as a component of Openshift Serverless 1.13 | *, * |
| Red Hat | openshift-serverless-1/kn-cli-artifacts-rhel8@sha256:5be1792a2e8a31f851a869a3244dc2de0494af366f9ad44b44183aad09d50463_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/kn-cli-artifacts-rhel8@sha256:5be1792a2e8a31f851a869a3244dc2de0494af366f9ad44b44183aad09d50463_amd64 |
| Red Hat | openshift-serverless-1/serverless-rhel8-operator@sha256:c4fa82ff905612b7c771bc3b274db91f9ec33f3fb3899d3e39cb77d4403fea55_amd64 as a component of Openshift Serverless 1.13 | openshift-serverless-1/serverless-rhel8-operator@sha256:c4fa82ff905612b7c771bc3b274db91f9ec33f3fb3899d3e39cb77d4403fea55_amd64 |
…and 36 more
Timeline
- Feb 18, 2021 CVE Published
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Distribution Patch
- Apr 25, 2026 Security Advisory
- Apr 25, 2026 Security Advisory
- May 15, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2021:0516 advisory
- https://access.redhat.com/security/updates/classification/#moderate advisory
- https://access.redhat.com/documentation/en-us/openshift_container_platform/4.6/html/serverless_applications/index advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1883371 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=1919046 issue
- https://bugzilla.redhat.com/show_bug.cgi?id=1919047 issue
- https://security.access.redhat.com/data/csaf/v2/advisories/2021/rhsa-2021_0516.json advisory
- https://access.redhat.com/security/cve/CVE-2020-26160 advisory
- https://www.cve.org/CVERecord?id=CVE-2020-26160 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2020-26160 advisory
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMDGRIJALVAJWTGO-596515 advisory