CVE-2021-3127

Description

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-62mh-w5cv-p88c (for github.com/nats-io/jwt) and GHSA-j756-f273-xhp4 (for github.com/nats-io/nats-server). This link is maintained to preserve external references. ## Original Description NATS Server (github.com/nats-io/nats-server/v2/server) 2.x before 2.2.0 and JWT library (github.com/nats-io/jwt/v2) before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.

Affected packages (10)

• Bitnami/nats>= 2.0.0, < 2.2.0
• Debian/golang-github-nats-io-jwtfrom 0, < 2.2.0-1
• Go/github.com/nats-io/jwtfrom 0, <= 1.2.2
• Go/github.com/nats-io/jwtfrom 0, < 1.2.3-0.20210314221642-a826c77dc9d2
• Go/github.com/nats-io/jwtfrom 0, < 1.2.3-0.20210314221642-a826c77dc9d2
• Go/github.com/nats-io/jwt/v2from 0, < 2.0.1
• Go/github.com/nats-io/jwt/v2from 0, < 2.0.1
• Go/github.com/nats-io/jwt/v2from 0, < 2.0.1
• Go/github.com/nats-io/nats-server/v2from 0, < 2.2.0
• Go/github.com/nats-io/nats-server/v2from 0, < 2.2.0

CVSS scores

References (11)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-3127
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-3127
• PATCHhttps://github.com/nats-io/jwt
• PATCHhttps://github.com/nats-io/nats-server
• WEBhttps://advisories.nats.io/CVE/CVE-2021-3127.txt
• WEBhttps://github.com/nats-io/jwt/commit/6c72fdd73e82fa9ebb151d84773baf4e9164c4ab
• WEBhttps://github.com/nats-io/jwt/pull/149
• WEBhttps://github.com/nats-io/jwt/pull/149/commits/a826c77dc9d2671c961b75ceefdb439c41029866
• WEBhttps://github.com/nats-io/jwt/security/advisories/GHSA-62mh-w5cv-p88c
• WEBhttps://github.com/nats-io/nats-server/commit/423b79440c80c863de9f4e20548504e6c5d5e403
• WEBhttps://github.com/nats-io/nats-server/security/advisories/GHSA-j756-f273-xhp4