blob: 39cee3f18b110d0510834507fe01809ca5e16421 [file] [log] [blame]
id: GO-2022-0386
modules:
- module: github.com/nats-io/jwt
versions:
- fixed: 1.2.3-0.20210314221642-a826c77dc9d2
vulnerable_at: 1.2.2
packages:
- package: github.com/nats-io/jwt
symbols:
- ActivationClaims.Validate
- Import.Validate
derived_symbols:
- Account.Validate
- AccountClaims.Validate
- Imports.Validate
- module: github.com/nats-io/jwt/v2
versions:
- fixed: 2.0.1
vulnerable_at: 2.0.0
packages:
- package: github.com/nats-io/jwt/v2
symbols:
- Import.Validate
derived_symbols:
- Account.Validate
- AccountClaims.Validate
- Imports.Validate
summary: Import token permissions checking not enforced in github.com/nats-io/jwt
description: |-
Import tokens valid for one account may be used for any other account.
Validation of Import token bindings incorrectly warns on mismatches, rather than
rejecting the Goken. This permits a token for one account to be used for any
other account.
published: 2022-07-01T20:11:22Z
cves:
- CVE-2021-3127
ghsas:
- GHSA-62mh-w5cv-p88c
- GHSA-9r5x-fjv3-q6h4
- GHSA-j756-f273-xhp4
references:
- advisory: https://advisories.nats.io/CVE/CVE-2021-3127.txt
- fix: https://github.com/nats-io/jwt/pull/149
review_status: REVIEWED