| id: GO-2022-0380 |
| modules: |
| - module: github.com/nats-io/jwt |
| versions: |
| - fixed: 1.1.0 |
| vulnerable_at: 1.0.1 |
| packages: |
| - package: github.com/nats-io/jwt |
| symbols: |
| - AccountClaims.IsRevoked |
| - Export.IsRevoked |
| summary: Incorrect handling of credential expiry in github.com/nats-io/jwt |
| description: |- |
| The AccountClaims.IsRevoked and Export.IsRevoked functions improperly validate |
| expired credentials using the current system time rather than the issue time of |
| the JWT to be tested. |
| |
| These functions cannot be used properly. Newer versions of the jwt package |
| provide an IsClaimRevoked method which performs correct validation. In these |
| versions, the IsRevoked method always return true. |
| published: 2022-07-15T23:29:36Z |
| cves: |
| - CVE-2020-26892 |
| ghsas: |
| - GHSA-2c64-vj8g-vwrq |
| - GHSA-4w5x-x539-ppf5 |
| references: |
| - advisory: https://advisories.nats.io/CVE/CVE-2020-26892.txt |
| - fix: https://github.com/nats-io/jwt/commit/e11ce317263cef69619fc1ca743b195d02aa1d8a |
| review_status: REVIEWED |