CVE-2020-26892
published 2020-11-06CVE-2020-26892: The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.
PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.05%
78.9th percentile
The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-nats-io-jwt | < golang-github-nats-io-jwt 2.2.0-1 (bookworm) | golang-github-nats-io-jwt 2.2.0-1 (bookworm) |
| fedoraproject | fedora | — | — |
| github.com | nats-io_jwt | >= 0 < 1.1.0 | 1.1.0 |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.1.9 | 2.1.9 |
| linuxfoundation | nats-server | < 2.1.9 | 2.1.9 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Incorrect handling of credential expiry in github.com/nats-io/jwt
osv·2022-07-15
CVE-2020-26892 Incorrect handling of credential expiry in github.com/nats-io/jwt
Incorrect handling of credential expiry in github.com/nats-io/jwt
The AccountClaims.IsRevoked and Export.IsRevoked functions improperly validate expired credentials using the current system time rather than the issue time of the JWT to be tested.
These functions cannot be used properly. Newer versions of the jwt package provide an IsClaimRevoked method which performs correct validation. In these versions, the IsRevoked method always return true.
GHSA
Incorrect handling of credential expiry by /nats-io/nats-server
ghsa·2022-02-11
CVE-2020-26892 [CRITICAL] CWE-798 Incorrect handling of credential expiry by /nats-io/nats-server
Incorrect handling of credential expiry by /nats-io/nats-server
## Problem Description
NATS nats-server through 2020-10-07 has Incorrect Access Control because of how expired credentials are handled.
The NATS accounts system has expiration timestamps on credentials; the library had an API which encouraged misuse and an `IsRevoked()` method which misused its own API.
A new `IsClaimRevoked()` method has correct handling and the nats-server has been updated to use this. The old `IsRevoked()` method now always returns true and other client code will have to be updated to avoid calling it.
The CVE identifier should cover any application using the old JWT API, where the nats-server is one of those applications.
## Affected versions
#### JWT library
* all versions prior to 1.1.0
* fixed
OSV
Incorrect handling of credential expiry by /nats-io/nats-server
osv·2022-02-11
CVE-2020-26892 [CRITICAL] Incorrect handling of credential expiry by /nats-io/nats-server
Incorrect handling of credential expiry by /nats-io/nats-server
## Problem Description
NATS nats-server through 2020-10-07 has Incorrect Access Control because of how expired credentials are handled.
The NATS accounts system has expiration timestamps on credentials; the library had an API which encouraged misuse and an `IsRevoked()` method which misused its own API.
A new `IsClaimRevoked()` method has correct handling and the nats-server has been updated to use this. The old `IsRevoked()` method now always returns true and other client code will have to be updated to avoid calling it.
The CVE identifier should cover any application using the old JWT API, where the nats-server is one of those applications.
## Affected versions
#### JWT library
* all versions prior to 1.1.0
* fixed
GHSA
Incorrect handling of credential expiry by /nats-io/nats-server
ghsa·2021-05-21·CVSS 9.8
CVE-2020-26892 [CRITICAL] CWE-284 Incorrect handling of credential expiry by /nats-io/nats-server
Incorrect handling of credential expiry by /nats-io/nats-server
(This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-26892.txt )
## Problem Description
NATS nats-server through 2020-10-07 has Incorrect Access Control because of how expired credentials are handled.
The NATS accounts system has expiration timestamps on credentials; the library had an API which encouraged misuse and an `IsRevoked()` method which misused its own API.
A new `IsClaimRevoked()` method has correct handling and the nats-server has been updated to use this. The old `IsRevoked()` method now always returns true and other client code will have to be updated to avoid calling it.
The CVE identifier should cover any application using the old JWT API, where the nats-server is one of those application
OSV
Incorrect handling of credential expiry by /nats-io/nats-server
osv·2021-05-21·CVSS 9.8
CVE-2020-26892 [CRITICAL] Incorrect handling of credential expiry by /nats-io/nats-server
Incorrect handling of credential expiry by /nats-io/nats-server
(This advisory is canonically https://advisories.nats.io/CVE/CVE-2020-26892.txt )
## Problem Description
NATS nats-server through 2020-10-07 has Incorrect Access Control because of how expired credentials are handled.
The NATS accounts system has expiration timestamps on credentials; the library had an API which encouraged misuse and an `IsRevoked()` method which misused its own API.
A new `IsClaimRevoked()` method has correct handling and the nats-server has been updated to use this. The old `IsRevoked()` method now always returns true and other client code will have to be updated to avoid calling it.
The CVE identifier should cover any application using the old JWT API, where the nats-server is one of those application
OSV
CVE-2020-26892: The JWT library in NATS nats-server before 2
osv·2020-11-06·CVSS 9.8
CVE-2020-26892 [CRITICAL] CVE-2020-26892: The JWT library in NATS nats-server before 2
The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.
Debian
CVE-2020-26892: golang-github-nats-io-jwt - The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control be...
vendor_debian·2020·CVSS 9.8
CVE-2020-26892 [CRITICAL] CVE-2020-26892: golang-github-nats-io-jwt - The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control be...
The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.
Scope: local
bookworm: resolved (fixed in 2.2.0-1)
forky: resolved (fixed in 2.2.0-1)
sid: resolved (fixed in 2.2.0-1)
trixie: resolved (fixed in 2.2.0-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/nats-io/nats-server/commits/masterhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT67XCLIIBYRT762SVFBYFFTQFVSM3SI/https://www.openwall.com/lists/oss-security/2020/11/02/2https://github.com/nats-io/nats-server/commits/masterhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT67XCLIIBYRT762SVFBYFFTQFVSM3SI/https://www.openwall.com/lists/oss-security/2020/11/02/2
2020-11-06
Published