SCA: security update for github.com/golang-jwt/jwt/v4 (GHSA-29wx-vh33-7x7r)

low Tenable Self-Hosted Container Security Plugin ID 408837

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in
`ParseWithClaims` can lead to situation where users are potentially not checking errors in the way they
should be. Especially, if a token is both expired and invalid, the errors returned by `ParseWithClaims`
return both error codes. If users only check for the `jwt.ErrTokenExpired ` using `error.Is`, they will
ignore the embedded `jwt.ErrTokenSignatureInvalid` and thus potentially accept invalid tokens. A fix has
been back-ported with the error handling logic from the `v5` branch to the `v4` branch. In this logic, the
`ParseWithClaims` function will immediately return in "dangerous" situations (e.g., an invalid signature),
limiting the combined errors only to situations where the signature is valid, but further validation
failed (e.g., if the signature is valid, but is expired AND has the wrong audience). This fix is part of
the 4.5.1 release. We are aware that this changes the behaviour of an established function and is not 100
% backwards compatible, so updating to 4.5.1 might break your code. In case you cannot update to 4.5.0,
please make sure that you are properly checking for all errors ("dangerous" ones first), so that you are
not running in the case detailed above. (CVE-2024-51744)

See Also

https://github.com/advisories/GHSA-29wx-vh33-7x7r

Plugin Details

Severity: Low

ID: 408837

Version: Revision 1.11

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 1.9

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2024-51744

CVSS v3

Risk Factor: Low

Base Score: 3.1

Temporal Score: 2.7

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.3

Threat Score: 0.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/4/2024

Vulnerability Publication Date: 11/4/2024

Reference Information

CVE: CVE-2024-51744