GO-2022-0380

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0380

Import Source

https://vuln.go.dev/ID/GO-2022-0380.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2022-0380

Aliases

Published

2022-07-15T23:29:36Z

Modified

2024-05-20T16:03:47Z

Summary

Incorrect handling of credential expiry in github.com/nats-io/jwt

Details

The AccountClaims.IsRevoked and Export.IsRevoked functions improperly validate expired credentials using the current system time rather than the issue time of the JWT to be tested.

These functions cannot be used properly. Newer versions of the jwt package provide an IsClaimRevoked method which performs correct validation. In these versions, the IsRevoked method always return true.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0380"
}

References

Affected packages

Go / github.com/nats-io/jwt

Package

Name: github.com/nats-io/jwt; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/jwt

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.0

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/nats-io/jwt",
            "symbols": [
                "AccountClaims.IsRevoked",
                "Export.IsRevoked"
            ]
        }
    ]
}