VDB

RHSA-2021%3A0516

RHSA-2021%3A0516 PUBLISHED CVSS 7.5 HIGH

A vulnerability was found in jwt-go where it is vulnerable to Access Restriction Bypass if m["aud"] happens to be []string{}, as allowed by the spec, the type assertion fails and the value of aud is "". This can cause audience verification to succeed even if the audiences being passed are incorrect if required is set to false.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Products

VendorProductVersions
Red Hatopenshift-serverless-1/serving-autoscaler-rhel8@sha256:c37136608b097737386b718612888a251802724920e3bf9a7479134e42d700d3_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/serving-autoscaler-rhel8@sha256:c37136608b097737386b718612888a251802724920e3bf9a7479134e42d700d3_amd64
Red Hatopenshift-serverless-1/eventing-in-memory-channel-dispatcher-rhel8@sha256:52c42f00cf55d04f88d8d7ad38850963ca5d936d9f7e613d5227529263a97058_amd64 as a component of Openshift Serverless 1.13*, *
Red Hatopenshift-serverless-1/client-kn-rhel8@sha256:5757f011df96a72d84afaf4175242ce5dc8e5e7361475f52a99aef7fdd579257_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/client-kn-rhel8@sha256:5757f011df96a72d84afaf4175242ce5dc8e5e7361475f52a99aef7fdd579257_amd64
Red Hatopenshift-serverless-1/serving-webhook-rhel8@sha256:c2b79facda8ba1e3a64ca15778be000565753bfffe3664b19015142de8bb06a5_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/serving-webhook-rhel8@sha256:c2b79facda8ba1e3a64ca15778be000565753bfffe3664b19015142de8bb06a5_amd64
Red Hatopenshift-serverless-1/svls-must-gather-rhel8@sha256:ee874a46331e87a13c3cb3ec6fafde50bf3ccd228484c27e00a817ba9ba7f213_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/svls-must-gather-rhel8@sha256:ee874a46331e87a13c3cb3ec6fafde50bf3ccd228484c27e00a817ba9ba7f213_amd64
Red Hatopenshift-serverless-1/serving-autoscaler-hpa-rhel8@sha256:1b99069921f432115c1bb85b5776bf57044a1b7a06a7d943ac8800482f7469ea_amd64 as a component of Openshift Serverless 1.13*, openshift-serverless-1/serving-autoscaler-hpa-rhel8@sha256:1b99069921f432115c1bb85b5776bf57044a1b7a06a7d943ac8800482f7469ea_amd64
Red Hatopenshift-serverless-1/serving-storage-version-migration-rhel8@sha256:59eebf739c6047e991cbf8dfbf80db5430adc4390c477ef848293bbed00e7620_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/serving-storage-version-migration-rhel8@sha256:59eebf739c6047e991cbf8dfbf80db5430adc4390c477ef848293bbed00e7620_amd64, *
Red Hatopenshift-serverless-1/kn-cli-artifacts-rhel8@sha256:5be1792a2e8a31f851a869a3244dc2de0494af366f9ad44b44183aad09d50463_amd64 as a component of Openshift Serverless 1.13*, openshift-serverless-1/kn-cli-artifacts-rhel8@sha256:5be1792a2e8a31f851a869a3244dc2de0494af366f9ad44b44183aad09d50463_amd64
Red Hatopenshift-serverless-1/eventing-sugar-controller-rhel8@sha256:01cabe0adf0fd2c010f6103d861d5e71985de76fdaa021759265f117327013b8_amd64 as a component of Openshift Serverless 1.13*, openshift-serverless-1/eventing-sugar-controller-rhel8@sha256:01cabe0adf0fd2c010f6103d861d5e71985de76fdaa021759265f117327013b8_amd64
Red Hatopenshift-serverless-1/eventing-mtchannel-broker-rhel8@sha256:ceae3dc5b4798c903d342a8aadf45cbfd13cab61588567bb03edda6b65094e21_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/eventing-mtchannel-broker-rhel8@sha256:ceae3dc5b4798c903d342a8aadf45cbfd13cab61588567bb03edda6b65094e21_amd64
Red Hatopenshift-serverless-1/eventing-mtbroker-ingress-rhel8@sha256:b9f1f6bbea679d1a1bff74f872412a10fe576d7f619418a7688be3d78ac36f16_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/eventing-mtbroker-ingress-rhel8@sha256:b9f1f6bbea679d1a1bff74f872412a10fe576d7f619418a7688be3d78ac36f16_amd64, *
Red Hatopenshift-serverless-1/serving-domain-mapping-webhook-rhel8@sha256:8767e3b4d07298246b6d8b705c3c9e63142773de0135e032ce0b8b3ee2fde64b_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/serving-domain-mapping-webhook-rhel8@sha256:8767e3b4d07298246b6d8b705c3c9e63142773de0135e032ce0b8b3ee2fde64b_amd64
Red Hatopenshift-serverless-1/serverless-operator-bundle@sha256:f51bf79d93c571064a8038cd7ab40ced67ab87d5e0063afe3dda47935cb1eda6_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/serverless-operator-bundle@sha256:f51bf79d93c571064a8038cd7ab40ced67ab87d5e0063afe3dda47935cb1eda6_amd64
Red Hatopenshift-serverless-1/serving-activator-rhel8@sha256:282d41e5163cc0682295d73aecafef36c23bedb0d436446e3acce936a8b0f8c6_amd64 as a component of Openshift Serverless 1.13*, openshift-serverless-1/serving-activator-rhel8@sha256:282d41e5163cc0682295d73aecafef36c23bedb0d436446e3acce936a8b0f8c6_amd64
Red Hatopenshift-serverless-1/serving-domain-mapping-webhook-rhel8@sha256:8767e3b4d07298246b6d8b705c3c9e63142773de0135e032ce0b8b3ee2fde64b_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/serving-domain-mapping-webhook-rhel8@sha256:8767e3b4d07298246b6d8b705c3c9e63142773de0135e032ce0b8b3ee2fde64b_amd64, *
Red Hatopenshift-serverless-1/knative-rhel8-operator@sha256:e56c32f5ada972006466fb3fd15038634edb5b3f4e63af497c4e1eb0645aec65_amd64 as a component of Openshift Serverless 1.13*, openshift-serverless-1/knative-rhel8-operator@sha256:e56c32f5ada972006466fb3fd15038634edb5b3f4e63af497c4e1eb0645aec65_amd64
Red Hatopenshift-serverless-1/eventing-in-memory-channel-controller-rhel8@sha256:641966e98b79e86810ea93068324951cc1802918d1e19f17f51290fd7227475e_amd64 as a component of Openshift Serverless 1.13*
Red Hatopenshift-serverless-1/serving-controller-rhel8@sha256:467cec1508213c7f4a55ab15633af0870deca1bea076a075157c7869dbc3e5b0_amd64 as a component of Openshift Serverless 1.13*, *
Red Hatopenshift-serverless-1/kn-cli-artifacts-rhel8@sha256:5be1792a2e8a31f851a869a3244dc2de0494af366f9ad44b44183aad09d50463_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/kn-cli-artifacts-rhel8@sha256:5be1792a2e8a31f851a869a3244dc2de0494af366f9ad44b44183aad09d50463_amd64
Red Hatopenshift-serverless-1/serverless-rhel8-operator@sha256:c4fa82ff905612b7c771bc3b274db91f9ec33f3fb3899d3e39cb77d4403fea55_amd64 as a component of Openshift Serverless 1.13openshift-serverless-1/serverless-rhel8-operator@sha256:c4fa82ff905612b7c771bc3b274db91f9ec33f3fb3899d3e39cb77d4403fea55_amd64

…and 36 more

Timeline

  • Feb 18, 2021 CVE Published
  • Apr 25, 2026 Distribution Patch
  • Apr 25, 2026 Distribution Patch
  • Apr 25, 2026 Security Advisory
  • Apr 25, 2026 Security Advisory
  • May 15, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›