GHSA-9r5x-fjv3-q6h4

Source

https://github.com/advisories/GHSA-9r5x-fjv3-q6h4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-9r5x-fjv3-q6h4/GHSA-9r5x-fjv3-q6h4.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-9r5x-fjv3-q6h4

Aliases

Related

CGA-wg3j-593x-7xrc

Withdrawn

2024-05-21T14:35:21Z

Published

2022-02-15T01:57:18Z

Modified

2024-05-21T14:35:21Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Duplicate Advisory: Incorrect Access Control in github.com/nats-io/jwt and github.com/nats-io/nats-server/v2

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-62mh-w5cv-p88c (for github.com/nats-io/jwt) and GHSA-j756-f273-xhp4 (for github.com/nats-io/nats-server). This link is maintained to preserve external references.

Original Description

NATS Server (github.com/nats-io/nats-server/v2/server) 2.x before 2.2.0 and JWT library (github.com/nats-io/jwt/v2) before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.

Database specific

{
    "nvd_published_at": "2021-03-16T20:15:00Z",
    "cwe_ids": [
        "CWE-284",
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-12T20:34:10Z"
}

References

Affected packages

Go / github.com/nats-io/jwt/v2

Package

Name: github.com/nats-io/jwt/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/jwt/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.1

Go / github.com/nats-io/nats-server/v2

Package

Name: github.com/nats-io/nats-server/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/nats-server/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.0

Go / github.com/nats-io/jwt

Package

Name: github.com/nats-io/jwt; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/jwt

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.3-0.20210314221642-a826c77dc9d2