PRISMA-2022-0270 security vulnerability in version v4.4.2

Question

PRISMA-2022-0270 security vulnerability in version v4.4.2

vishweshwarp opened this issue 2 years ago · comments

Found the vulnerability with CVE code PRISMA-2022-0270 in version v4.4.2. Can we get this fixed?

Vulnerability description:
github.com/golang-jwt/jwt/v4 module from all versions is vulnerable to Denial of Service (DoS) due to token without ExpiresAt can cause panic.

Christian Banse · Answer 1 · Tue Nov 29 2022 22:23:42 GMT+0800 (China Standard Time)

This is a duplicate of #223. This was never a real problem of this library and only encountered if people were misusing the API. We made it more clear and changed an example (see #255). I can release a 4.4.3 since this already merged on main.

I.C.E.C · Answer 2 · Thu Dec 01 2022 23:04:29 GMT+0800 (China Standard Time)

the 4.4.3 release is still beeing flaged by Prisma Cloud as a vulnerability sadly

Christian Banse · Answer 3 · Thu Dec 01 2022 23:40:50 GMT+0800 (China Standard Time)

That is the problem with using some cloud security software from a vendor, which does not even bother reporting it to the original repo but just assigning a proprietary own number. It has no assigned CVE number. The actual CVE 2022-0270 is from a totally different product. Not sure what else we can do from our side on this.

Michael Fridman · Answer 4 · Sun Jan 08 2023 07:23:41 GMT+0800 (China Standard Time)

I suggest we close this issue. Not much more to do here and @oxisto answer's are spot on.