GO-2022-0386

See a problem?
Please try reporting it to the source first.

Source

https://pkg.go.dev/vuln/GO-2022-0386

Import Source

https://vuln.go.dev/ID/GO-2022-0386.json

JSON Data

https://api.test.osv.dev/v1/vulns/GO-2022-0386

Aliases

Published

2022-07-01T20:11:22Z

Modified

2024-05-20T16:03:47Z

Summary

Import token permissions checking not enforced in github.com/nats-io/jwt

Details

Import tokens valid for one account may be used for any other account.

Validation of Import token bindings incorrectly warns on mismatches, rather than rejecting the Goken. This permits a token for one account to be used for any other account.

Database specific

{
    "review_status": "REVIEWED",
    "url": "https://pkg.go.dev/vuln/GO-2022-0386"
}

References

Affected packages

Go / github.com/nats-io/jwt

Package

Name: github.com/nats-io/jwt; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/jwt

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.3-0.20210314221642-a826c77dc9d2

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/nats-io/jwt",
            "symbols": [
                "Account.Validate",
                "AccountClaims.Validate",
                "ActivationClaims.Validate",
                "Import.Validate",
                "Imports.Validate"
            ]
        }
    ]
}

Go / github.com/nats-io/jwt/v2

Package

Name: github.com/nats-io/jwt/v2; View open source insights on deps.dev
Purl: pkg:golang/github.com/nats-io/jwt/v2

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.1

Ecosystem specific

{
    "imports": [
        {
            "path": "github.com/nats-io/jwt/v2",
            "symbols": [
                "Account.Validate",
                "AccountClaims.Validate",
                "Import.Validate",
                "Imports.Validate"
            ]
        }
    ]
}