x/vulndb: add reports/GO-2022-0402.yaml for CVE-2020-26521
Fixes golang/vulndb#0402
Change-Id: Iefba6ffd09051da661f3bd3ec8c882617223c0b6
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414820
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
diff --git a/reports/GO-2022-0402.yaml b/reports/GO-2022-0402.yaml
new file mode 100644
index 0000000..b26a1e8
--- /dev/null
+++ b/reports/GO-2022-0402.yaml
@@ -0,0 +1,24 @@
+packages:
+ - module: github.com/nats-io/jwt
+ symbols:
+ - Export.Validate
+ - Import.Validate
+ - Imports.Validate
+ derived_symbols:
+ - Account.Validate
+ - AccountClaims.Validate
+ - Exports.Validate
+ versions:
+ - fixed: 1.1.0
+ vulnerable_at: 1.0.1
+description: |
+ A malicious account can create and sign a User JWT which causes a panic
+ when decoded by the NATS JWT library.
+cves:
+ - CVE-2020-26521
+ghsas:
+ - GHSA-hmm9-r2m2-qg9w
+links:
+ pr: https://github.com/nats-io/jwt/pull/107
+ context:
+ - https://advisories.nats.io/CVE/CVE-2020-26521.txt