If a JWT contains an audience claim with an array of strings, rather than a single string, and MapClaims.VerifyAudience is called with req set to false, then audience verification will be bypassed, allowing an invalid set of audiences to be provided.
CPE | Name | Operator | Version |
---|---|---|---|
github.com/dgrijalva/jwt-go | ge | 0.0.0-20150717181359-44718f8a89b0 | |
github.com/dgrijalva/jwt-go/v4 | lt | 4.0.0-preview1 |