x/vulndb: add reports/GO-2022-0402.yaml for CVE-2020-26521 Fixes golang/vulndb#0402 Change-Id: Iefba6ffd09051da661f3bd3ec8c882617223c0b6 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/414820 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Tatiana Bradley <tatiana@golang.org>

commit: b250eef87586b6b0bf1ae7b20e00346b7128a865 [log] [tgz]
author: Damien Neil <dneil@google.com> Tue Jun 28 13:39:36 2022 -0700
committer: Damien Neil <dneil@google.com> Fri Jul 01 20:10:43 2022 +0000
tree: d3166727eb461b740f3ac28918bb5107351dc1c3
parent: 2985a5852e4b366561c3d4ab6c16e6f7e4ba8e71 [diff]
diff --git a/reports/GO-2022-0402.yaml b/reports/GO-2022-0402.yaml
new file mode 100644
index 0000000..b26a1e8
--- /dev/null
+++ b/reports/GO-2022-0402.yaml

@@ -0,0 +1,24 @@
+packages:
+  - module: github.com/nats-io/jwt
+    symbols:
+      - Export.Validate
+      - Import.Validate
+      - Imports.Validate
+    derived_symbols:
+      - Account.Validate
+      - AccountClaims.Validate
+      - Exports.Validate
+    versions:
+      - fixed: 1.1.0
+    vulnerable_at: 1.0.1
+description: |
+    A malicious account can create and sign a User JWT which causes a panic
+    when decoded by the NATS JWT library.
+cves:
+  - CVE-2020-26521
+ghsas:
+  - GHSA-hmm9-r2m2-qg9w
+links:
+    pr: https://github.com/nats-io/jwt/pull/107
+    context:
+      - https://advisories.nats.io/CVE/CVE-2020-26521.txt
commit	b250eef87586b6b0bf1ae7b20e00346b7128a865	[log] [tgz]
author	Damien Neil <dneil@google.com>	Tue Jun 28 13:39:36 2022 -0700
committer	Damien Neil <dneil@google.com>	Fri Jul 01 20:10:43 2022 +0000
tree	d3166727eb461b740f3ac28918bb5107351dc1c3
parent	2985a5852e4b366561c3d4ab6c16e6f7e4ba8e71 [diff]