Skip to content

x/vulndb: potential Go vuln in github.com/nats-io/nats-server/v2: GHSA-hmm9-r2m2-qg9w #402

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GoVulnBot opened this issue Mar 24, 2022 · 2 comments
Closed

x/vulndb: potential Go vuln in github.com/nats-io/nats-server/v2: GHSA-hmm9-r2m2-qg9w #402

GoVulnBot opened this issue Mar 24, 2022 · 2 comments
Assignees
@neild
Labels
NeedsReport

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-hmm9-r2m2-qg9w, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/nats-io/nats-server/v2 2.1.9 < 2.1.9

See doc/triage.md for instructions on how to triage this report.

package: github.com/nats-io/nats-server/v2
versions:
  - introduced: v0.0.0
    fixed: v2.1.9
description: |-
    (This advisory is canonically <https://advisories.nats.io/CVE/CVE-2020-26521.txt>)

    ## Problem Description

    The NATS account system has an Operator trusted by the servers, which signs Accounts, and each Account can then create and sign Users within their account.  The Operator should be able to safely issue Accounts to other entities which it does not fully trust.

    A malicious Account could create and sign a User JWT with a state not created by the normal tooling, such that decoding by the NATS JWT library (written in Go) would attempt a nil dereference, aborting execution.

    The NATS Server is known to be impacted by this.


    ## Affected versions

    #### JWT library

     * all versions prior to 1.1.0

    #### NATS Server

     * Version 2 prior to 2.1.9


    ## Impact

    #### JWT library

     * Programs would nil dereference and panic, aborting execution by default.

    #### NATS server

     * Denial of Service caused by process termination


    ## Workaround

    If your NATS servers do not trust any accounts which are managed by untrusted entities, then malformed User credentials are unlikely to be encountered.


    ## Solution

    Upgrade the JWT dependency in any application using it.

    Upgrade the NATS server if using NATS Accounts.
published: 2021-05-21T16:22:10Z
last_modified: 2021-05-21T16:22:10Z
ghsas:
  - GHSA-hmm9-r2m2-qg9w
@neild neild self-assigned this Jun 28, 2022
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/414820 mentions this issue: x/vulndb: add reports/GO-2022-0402.yaml for CVE-2020-26521

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/423038 mentions this issue: reports: add missing GHSAs

gopherbot pushed a commit that referenced this issue Aug 12, 2022
@julieqiu
reports: add missing GHSAs
46c14cb 
For #57
For #380
For #384
For #386
For #402
For #534

Change-Id: I953da31e396f0afae72e8d4e2fc7bc51fb303570
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/423038
Reviewed-by: Damien Neil <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Julie Qiu <[email protected]>
Run-TryBot: Julie Qiu <[email protected]>
@GoVulnBot GoVulnBot mentioned this issue Jan 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@neild neild

Labels
NeedsReport
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @rolandshoemaker @gopherbot @GoVulnBot