data/reports/GO-2022-0380.yaml - vulndb - Git at Google

 modules:
     - module: github.com/nats-io/jwt
       versions:
         - fixed: 1.1.0
       vulnerable_at: 1.0.1
       packages:
         - package: github.com/nats-io/jwt
           symbols:
             - AccountClaims.IsRevoked
             - Export.IsRevoked
 description: |
     The AccountClaims.IsRevoked and Export.IsRevoked functions improperly
     validate expired credentials using the current system time rather than
     the issue time of the JWT to be tested.

     These functions cannot be used properly. Newer versions of the jwt package
     provide an IsClaimRevoked method which performs correct validation.
     In these versions, the IsRevoked method always return true.
 published: 2022-07-15T23:29:36Z
 cves:
     - CVE-2020-26892
 ghsas:
     - GHSA-2c64-vj8g-vwrq
     - GHSA-4w5x-x539-ppf5
 references:
     - advisory: https://advisories.nats.io/CVE/CVE-2020-26892.txt
     - fix: https://github.com/nats-io/jwt/commit/e11ce317263cef69619fc1ca743b195d02aa1d8a
	modules:
	- module: github.com/nats-io/jwt
	versions:
	- fixed: 1.1.0
	vulnerable_at: 1.0.1
	packages:
	- package: github.com/nats-io/jwt
	symbols:
	- AccountClaims.IsRevoked
	- Export.IsRevoked
	description: \|
	The AccountClaims.IsRevoked and Export.IsRevoked functions improperly
	validate expired credentials using the current system time rather than
	the issue time of the JWT to be tested.

	These functions cannot be used properly. Newer versions of the jwt package
	provide an IsClaimRevoked method which performs correct validation.
	In these versions, the IsRevoked method always return true.
	published: 2022-07-15T23:29:36Z
	cves:
	- CVE-2020-26892
	ghsas:
	- GHSA-2c64-vj8g-vwrq
	- GHSA-4w5x-x539-ppf5
	references:
	- advisory: https://advisories.nats.io/CVE/CVE-2020-26892.txt
	- fix: https://github.com/nats-io/jwt/commit/e11ce317263cef69619fc1ca743b195d02aa1d8a