CVE-2020-26521 – github.com/nats-io/jwt

Package

Manager: go
Name: github.com/nats-io/jwt
Vulnerable Version: >=0 <1.1.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00682 pctl0.70732

Details

Nil dereference in NATS JWT, DoS of nats-server ## Problem Description The NATS account system has an Operator trusted by the servers, which signs Accounts, and each Account can then create and sign Users within their account. The Operator should be able to safely issue Accounts to other entities which it does not fully trust. A malicious Account could create and sign a User JWT with a state not created by the normal tooling, such that decoding by the NATS JWT library (written in Go) would attempt a nil dereference, aborting execution. The NATS Server is known to be impacted by this. ## Affected versions #### JWT library * all versions prior to 1.1.0 #### NATS Server * Version 2 prior to 2.1.9 ## Impact #### JWT library * Programs would nil dereference and panic, aborting execution by default. #### NATS server * Denial of Service caused by process termination ## Workaround If your NATS servers do not trust any accounts which are managed by untrusted entities, then malformed User credentials are unlikely to be encountered. ## Solution Upgrade the JWT dependency in any application using it. Upgrade the NATS server if using NATS Accounts.

Metadata

Created: 2022-02-11T23:43:13Z
Modified: 2023-02-17T22:18:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-h2fg-54x9-5qhq/GHSA-h2fg-54x9-5qhq.json
CWE IDs: ["CWE-476"]
Alternative ID: GHSA-h2fg-54x9-5qhq
Finding: F002
Auto approve: 1