Skip to content

x/vulndb: potential Go vuln in github.com/nats-io/nats-server/v2: GHSA-2c64-vj8g-vwrq #380

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue Mar 24, 2022 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/nats-io/nats-server/v2: GHSA-2c64-vj8g-vwrq #380

GoVulnBot opened this issue Mar 24, 2022 · 3 comments
Assignees
@neild
Labels
NeedsReport

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-2c64-vj8g-vwrq, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/nats-io/nats-server/v2 2.1.9 < 2.1.9

See doc/triage.md for instructions on how to triage this report.

package: github.com/nats-io/nats-server/v2
versions:
  - introduced: v0.0.0
    fixed: v2.1.9
description: |-
    (This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-26892.txt )

    ## Problem Description

    NATS nats-server through 2020-10-07 has Incorrect Access Control because of how expired credentials are handled.

    The NATS accounts system has expiration timestamps on credentials; the <https://github.com/nats-io/jwt> library had an API which encouraged misuse and an `IsRevoked()` method which misused its own API.

    A new `IsClaimRevoked()` method has correct handling and the nats-server has been updated to use this.  The old `IsRevoked()` method now always returns true and other client code will have to be updated to avoid calling it.

    The CVE identifier should cover any application using the old JWT API, where the nats-server is one of those applications.


    ## Affected versions

    #### JWT library

     * all versions prior to 1.1.0
     * fixed after nats-io/jwt PR 103 landed (2020-10-06)

    #### NATS Server

     * Version 2 prior to 2.1.9
       + 2.0.0 through and including 2.1.8 are vulnerable.
     * fixed with nats-io/nats-server PRs 1632, 1635, 1645


    ## Impact

    Time-based credential expiry did not work.


    ## Workaround

    Have credentials which only expire after fixes can be deployed.


    ## Solution

    Upgrade the JWT dependency in any application using it.

    Upgrade the NATS server if using NATS Accounts.
published: 2021-05-21T16:11:49Z
last_modified: 2021-05-21T16:11:49Z
ghsas:
  - GHSA-2c64-vj8g-vwrq
@neild neild self-assigned this Jul 8, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/416558 mentions this issue: x/vulndb: add reports/GO-2022-0380.yaml for CVE-2020-26892

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/423038 mentions this issue: reports: add missing GHSAs

gopherbot pushed a commit that referenced this issue Aug 12, 2022
@julieqiu
reports: add missing GHSAs
46c14cb 
For #57
For #380
For #384
For #386
For #402
For #534

Change-Id: I953da31e396f0afae72e8d4e2fc7bc51fb303570
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/423038
Reviewed-by: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Julie Qiu <[email protected]>
Run-TryBot: Julie Qiu <[email protected]>
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/451287 mentions this issue: data/reports: update GO-2022-0380.yaml and GO-2022-0386.yaml

gopherbot pushed a commit that referenced this issue Nov 18, 2022
@tatianab
data/reports: update GO-2022-0380.yaml and GO-2022-0386.yaml
19012c1 
Move advisory link from description text to references section.

Updates #380, #386

Change-Id: I3b9305d17d5b101946ec756a4b54e0cae8eaa950
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/451287
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Run-TryBot: Tatiana Bradley <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
@GoVulnBot GoVulnBot mentioned this issue Jan 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
NeedsReport
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @rolandshoemaker @gopherbot @GoVulnBot