x/vulndb: add reports/GO-2022-0403.yaml for CVE-2021-3127
Fixes golang/vulndb#0386
Change-Id: If10972b0a8a787019ac1dbbe71b424600781ac6c
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414819
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
diff --git a/reports/GO-2022-0386.yaml b/reports/GO-2022-0386.yaml
new file mode 100644
index 0000000..80ec408
--- /dev/null
+++ b/reports/GO-2022-0386.yaml
@@ -0,0 +1,40 @@
+packages:
+ - module: github.com/nats-io/jwt
+ symbols:
+ - ActivationClaims.Validate
+ - Import.Validate
+ derived_symbols:
+ - Account.Validate
+ - AccountClaims.Validate
+ - Imports.Validate
+ versions:
+ - fixed: 1.2.3-0.20210314221642-a826c77dc9d2
+ vulnerable_at: 1.2.2
+ - module: github.com/nats-io/jwt/v2
+ symbols:
+ - Import.Validate
+ derived_symbols:
+ - Account.Validate
+ - AccountClaims.Validate
+ - Imports.Validate
+ versions:
+ - fixed: 2.0.1
+ vulnerable_at: 2.0.0
+description: |
+ Import tokens valid for one account may be used for any other account.
+
+ Validation of Import token bindings incorrectly warns on mismatches,
+ rather than rejecting the Goken. This permits a token for one account
+ to be used for any other account.
+
+ For further details and mitigation procedures, see
+ https://advisories.nats.io/CVE/CVE-2021-3127.txt
+cves:
+ - CVE-2021-3127
+ghsas:
+ - GHSA-j756-f273-xhp4
+ - GHSA-62mh-w5cv-p88c
+links:
+ pr: https://github.com/nats-io/jwt/pull/149
+ context:
+ - https://advisories.nats.io/CVE/CVE-2021-3127.txt
