blob: 8720340f1e0c15d3cc81e9fd7f2cbe2f65a66c40 [file] [log] [blame]
id: GO-2022-0380
modules:
- module: github.com/nats-io/jwt
versions:
- fixed: 1.1.0
vulnerable_at: 1.0.1
packages:
- package: github.com/nats-io/jwt
symbols:
- AccountClaims.IsRevoked
- Export.IsRevoked
summary: Incorrect handling of credential expiry in github.com/nats-io/jwt
description: |-
The AccountClaims.IsRevoked and Export.IsRevoked functions improperly validate
expired credentials using the current system time rather than the issue time of
the JWT to be tested.
These functions cannot be used properly. Newer versions of the jwt package
provide an IsClaimRevoked method which performs correct validation. In these
versions, the IsRevoked method always return true.
published: 2022-07-15T23:29:36Z
cves:
- CVE-2020-26892
ghsas:
- GHSA-2c64-vj8g-vwrq
- GHSA-4w5x-x539-ppf5
references:
- advisory: https://advisories.nats.io/CVE/CVE-2020-26892.txt
- fix: https://github.com/nats-io/jwt/commit/e11ce317263cef69619fc1ca743b195d02aa1d8a
review_status: REVIEWED