CVE-2021-3127
published 2021-03-16CVE-2021-3127: NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
1.46%
70.3th percentile
NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-nats-io-jwt | < golang-github-nats-io-jwt 2.2.0-1 (bookworm) | golang-github-nats-io-jwt 2.2.0-1 (bookworm) |
| debian | nats-server | < golang-github-nats-io-jwt 2.2.0-1 (bookworm) | golang-github-nats-io-jwt 2.2.0-1 (bookworm) |
| github.com | nats-io_jwt | >= 0 < 1.2.3-0.20210314221642-a826c77dc9d2 | 1.2.3-0.20210314221642-a826c77dc9d2 |
| github.com | nats-io_jwt | 0 – 1.2.2 | — |
| github.com | nats-io_jwt_v2 | >= 0 < 2.0.1 | 2.0.1 |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.2.0 | 2.2.0 |
| linuxfoundation | nats-server | >= 2.0.0 < 2.2.0 | 2.2.0 |
| nats | jwt_library | < 2.0.1 | 2.0.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Import token permissions checking not enforced in github.com/nats-io/jwt
osv·2022-07-01
CVE-2021-3127 Import token permissions checking not enforced in github.com/nats-io/jwt
Import token permissions checking not enforced in github.com/nats-io/jwt
Import tokens valid for one account may be used for any other account.
Validation of Import token bindings incorrectly warns on mismatches, rather than rejecting the Goken. This permits a token for one account to be used for any other account.
OSV
nats-io/jwt not enforcing checking of Import token permissions
osv·2022-02-15·CVSS 7.5
CVE-2021-3127 [HIGH] nats-io/jwt not enforcing checking of Import token permissions
nats-io/jwt not enforcing checking of Import token permissions
(This advisory is canonically )
## Problem Description
The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyone can import the
relevant subjects, and some Exports are private, such that the Import requires a token JWT to prove permission.
The JWT library's validation of the bindings in the Import Token incorrectly warned on mismatches, instead of outright rejecting the token.
As a result, any account can take an Import token used by any other account and re-use it for themselves because the binding to the
importing account is not rej
OSV
Duplicate Advisory: Incorrect Access Control in github.com/nats-io/jwt and github.com/nats-io/nats-server/v2
osv·2022-02-15
CVE-2021-3127 [HIGH] Duplicate Advisory: Incorrect Access Control in github.com/nats-io/jwt and github.com/nats-io/nats-server/v2
Duplicate Advisory: Incorrect Access Control in github.com/nats-io/jwt and github.com/nats-io/nats-server/v2
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-62mh-w5cv-p88c (for github.com/nats-io/jwt) and GHSA-j756-f273-xhp4 (for github.com/nats-io/nats-server). This link is maintained to preserve external references.
## Original Description
NATS Server (github.com/nats-io/nats-server/v2/server) 2.x before 2.2.0 and JWT library (github.com/nats-io/jwt/v2) before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
GHSA
nats-io/jwt not enforcing checking of Import token permissions
ghsa·2022-02-15·CVSS 7.5
CVE-2021-3127 [HIGH] CWE-863 nats-io/jwt not enforcing checking of Import token permissions
nats-io/jwt not enforcing checking of Import token permissions
(This advisory is canonically )
## Problem Description
The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyone can import the
relevant subjects, and some Exports are private, such that the Import requires a token JWT to prove permission.
The JWT library's validation of the bindings in the Import Token incorrectly warned on mismatches, instead of outright rejecting the token.
As a result, any account can take an Import token used by any other account and re-use it for themselves because the binding to the
importing account is not rej
OSV
github.com/nats-io/nats-server Import token permissions checking not enforced
osv·2021-05-21·CVSS 7.5
CVE-2021-3127 [HIGH] github.com/nats-io/nats-server Import token permissions checking not enforced
github.com/nats-io/nats-server Import token permissions checking not enforced
(This advisory is canonically )
## Problem Description
The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyone can import the relevant subjects, and some Exports are private, such that the Import requires a token JWT to prove permission.
The JWT library's validation of the bindings in the Import Token incorrectly warned on mismatches, instead of outright rejecting the token.
As a result, any account can take an Import token used by any other account and re-use it for themselves because the binding to the importing acc
OSV
CVE-2021-3127: NATS Server 2
osv·2021-03-16·CVSS 7.5
CVE-2021-3127 [HIGH] CVE-2021-3127: NATS Server 2
NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
Debian
CVE-2021-3127: golang-github-nats-io-jwt - NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access ...
vendor_debian·2021·CVSS 7.5
CVE-2021-3127 [HIGH] CVE-2021-3127: golang-github-nats-io-jwt - NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access ...
NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
Scope: local
bookworm: resolved (fixed in 2.2.0-1)
forky: resolved (fixed in 2.2.0-1)
sid: resolved (fixed in 2.2.0-1)
trixie: resolved (fixed in 2.2.0-1)
No detection rules found.
No public exploits indexed.
2021-03-16
Published