Описание
Duplicate Advisory: Incorrect Access Control in github.com/nats-io/jwt and github.com/nats-io/nats-server/v2
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-62mh-w5cv-p88c (for github.com/nats-io/jwt) and GHSA-j756-f273-xhp4 (for github.com/nats-io/nats-server). This link is maintained to preserve external references.
Original Description
NATS Server (github.com/nats-io/nats-server/v2/server) 2.x before 2.2.0 and JWT library (github.com/nats-io/jwt/v2) before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2021-3127
- https://github.com/nats-io/jwt/pull/149
- https://github.com/nats-io/jwt/pull/149/commits/a826c77dc9d2671c961b75ceefdb439c41029866
- https://github.com/nats-io/nats-server/commit/423b79440c80c863de9f4e20548504e6c5d5e403
- https://advisories.nats.io/CVE/CVE-2021-3127.txt
Пакеты
Наименование
github.com/nats-io/jwt/v2
go
Затронутые версииВерсия исправления
< 2.0.1
2.0.1
Наименование
github.com/nats-io/nats-server/v2
go
Затронутые версииВерсия исправления
< 2.2.0
2.2.0
Наименование
github.com/nats-io/jwt
go
Затронутые версииВерсия исправления
< 1.2.3-0.20210314221642-a826c77dc9d2
1.2.3-0.20210314221642-a826c77dc9d2
7.5 High
CVSS3
Дефекты
CWE-284
CWE-863
7.5 High
CVSS3
Дефекты
CWE-284
CWE-863