CVE-2016-9122

Name of the Vulnerable Software and Affected Versions go-jose versions prior to 1.1.0 go-jose versions prior to 1.0.4

Description The go-jose library is affected by an issue related to multiple signatures exploitation. When validating a signed message, the API does not indicate which signature is valid. This could lead to confusion, as users of the library might mistakenly read protected header values from an attached signature that was different from the one originally validated.

Recommendations For go-jose versions prior to 1.0.4, update to version 1.0.4 or later. For go-jose versions prior to 1.1.0, update to version 1.1.0 or later.