Vulnerability Report: GO-2022-0386

CVE-2021-3127, GHSA-62mh-w5cv-p88c, and 2 more
Affects: github.com/nats-io/jwt, github.com/nats-io/jwt/v2
Published: Jul 01, 2022
Modified: Jun 12, 2023

Import tokens valid for one account may be used for any other account. Validation of Import token bindings incorrectly warns on mismatches, rather than rejecting the Goken. This permits a token for one account to be used for any other account.

For detailed information about this vulnerability, visit https://advisories.nats.io/CVE/CVE-2021-3127.txt.

Affected Packages

Path

Versions

Symbols
github.com/nats-io/jwt

before v1.2.3-0.20210314221642-a826c77dc9d2
5 affected symbols
github.com/nats-io/jwt/v2

before v2.0.1

Aliases

CVE-2021-3127
GHSA-62mh-w5cv-p88c
GHSA-9r5x-fjv3-q6h4
GHSA-j756-f273-xhp4

References

https://advisories.nats.io/CVE/CVE-2021-3127.txt
https://github.com/nats-io/jwt/pull/149
https://vuln.go.dev/ID/GO-2022-0386.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL