Cloud Access Connector vulnerable dependency

Advisory Information

  • Advisory ID: TERA-SA-000104
  • CVE Numbers and Scores:
  • Published: 15 July 2021
  • Last Updated: 15 July 2021
  • Download PDF

Summary

The version of jwt-go in use was found to have a vulnerability.


Affected Products

  • Teradici Cloud Access Connector

Solutions and Mitigations

Available Updates

Update to the latest version of Cloud Access Connector.

Workarounds and Mitigation

There are currently no workarounds or mitigations.

Vulnerability Details

CVE-2020-26160

jwt-go before 4.0.0-preview1 allows attackers to bypass intended access restrictions in situations with []string{} for m["aud"] (which is allowed by the specification). Because the type assertion fails, "" is the value of aud. This is a security problem if the JWT token is presented to a service that lacks its own audience check.

Remark

Vulnerability classification has been performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.


Additional Resources


Revision History

15 July 2021: Initial Publication


Legal Disclaimer

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. TERADICI RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.