PRISMA-2022-0270 Reported from Twistlock

[dpericaxon]

Hello, we ran a twistlock scan and got this finding:

CVE: PRISMA-2022-0270
Image: hashicorp/consul:1.17.0
Description:github.com/golang-jwt/jwt/v4 module prior to v4.4.3 is vulnerable to Denial of Service (DoS). In case one of the RegisteredClaims params is empty it can lead to panic.
Distro: alpine-3.18.4
Package: github.com/golang-jwt/jwt/v4 v4.2.0
Info: golang-jwt/jwt#223

I think its coming from here: https://github.com/hashicorp/consul/blob/main/go.mod#L186

Are there plans to bump this dependency?

[zalimeni]

Hi @dpericaxon ! Thank you for reaching out about this.

Digging further into it with help from our security team, it looks like the issue you linked is duplicated by golang-jwt/jwt#258, which explains this is essentially a false positive on the Twistlock/Prisma side.

We're looking into upgrading anyway just to avoid churn for folks relying on these scanners, but in the meantime, I wanted to add that additional context.

[zalimeni]

@dpericaxon just a heads up, this has been addressed by updating to v4.5.0, so the issue should be resolved with the next patch release of Consul (currently expected ~mid-December).

I'm going to go ahead and close this issue, but please feel free to let us know if this does not resolve things. Thanks!