fanjeff opened a new pull request #481:
URL: https://github.com/apache/pulsar-client-go/pull/481
jwt-go before 4.0.0-preview1 allows attackers to bypass intended access
restrictions in situations with []string{} for m["aud"] (which is allowed by
the specification). Because the type assertion fails, "" is the value of aud.
This is a security problem if the JWT token is presented to a service that
lacks its own audience check.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
