Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlyNXgtZmp2My1xNmg0

High
Permalink JSON

Duplicate Advisory: Incorrect Access Control in github.com/nats-io/jwt and github.com/nats-io/nats-server/v2

Affected Packages Affected Versions Fixed Versions
go:github.com/nats-io/jwt < 1.2.3-0.20210314221642-a826c77dc9d2 1.2.3-0.20210314221642-a826c77dc9d2
543 Dependent packages
25,517 Dependent repositories

Affected Version Ranges

All affected versions

0.0.3, 0.0.4, 0.0.5, 0.0.6, 0.0.8, 0.1.0, 0.2.0, 0.2.2, 0.2.4, 0.2.6, 0.2.8, 0.2.10, 0.2.12, 0.2.14, 0.2.16, 0.3.0, 0.3.2, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2

All unaffected versions

2.4.0, 2.4.1, 2.5.0, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.6.0, 2.7.0, 2.7.2, 2.7.3
go:github.com/nats-io/nats-server/v2 < 2.2.0 2.2.0
6,417 Dependent packages
24,884 Dependent repositories

Affected Version Ranges

All affected versions

2.0.0, 2.0.2, 2.0.4, 2.1.0, 2.1.2, 2.1.4, 2.1.6, 2.1.7, 2.1.8, 2.1.9

All unaffected versions

2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.9.11, 2.9.12, 2.9.14, 2.9.15, 2.9.16, 2.9.17, 2.9.18, 2.9.19, 2.9.20, 2.9.21, 2.9.22, 2.9.23, 2.9.24, 2.9.25, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.10.8, 2.10.9, 2.10.10, 2.10.11, 2.10.12, 2.10.14, 2.10.15, 2.10.16, 2.10.17, 2.10.18, 2.10.19, 2.10.20, 2.10.21, 2.10.22, 2.10.23, 2.10.24, 2.10.25, 2.10.26, 2.10.27, 2.10.28, 2.10.29, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6
go:github.com/nats-io/jwt/v2 < 2.0.1 2.0.1
869 Dependent packages
4,844 Dependent repositories

Affected Version Ranges

All affected versions

2.0.0

All unaffected versions

2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.2.0, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-62mh-w5cv-p88c (for github.com/nats-io/jwt) and GHSA-j756-f273-xhp4 (for github.com/nats-io/nats-server). This link is maintained to preserve external references.

Original Description

NATS Server (github.com/nats-io/nats-server/v2/server) 2.x before 2.2.0 and JWT library (github.com/nats-io/jwt/v2) before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.

References:

Identifiers

GHSA-9r5x-fjv3-q6h4

Risk

Severity

High

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/nats-io/jwt

Date and time

Published

over 3 years ago

Updated

about 1 year ago

Withdrawn

about 1 year ago

API

JSON