CVE-2021-3127 — Improper Handling of Exceptional Conditions in Nats-io JWT

CWE-755 — Improper Handling of Exceptional Conditions CWE-863 — Incorrect Authorization9 documents5 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 47.51%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Nats-io JWT Github.com Nats-io JWT V2 Github.com Nats-io Nats-server V2 +4 more

Timeline

PublishedMar 16

Latest updateMar 5

Description

NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages7 packages

▶NVDnats/jwt_library< 2.0.1

▶debiandebian/nats-server< golang-github-nats-io-jwt 2.2.0-1 (bookworm)

▶NVDlinuxfoundation/nats-server2.0.0 — 2.2.0

▶Gogithub.com/nats-io_nats-server_v2< 2.2.0

▶Gogithub.com/nats-io_jwt< 1.2.3-0.20210314221642-a826c77dc9d2+1

🔴Vulnerability Details

OSV

Import token permissions checking not enforced in github.com/nats-io/jwt↗2022-07-01

▶

OSV

nats-io/jwt not enforcing checking of Import token permissions↗2022-02-15

▶

OSV

Duplicate Advisory: Incorrect Access Control in github.com/nats-io/jwt and github.com/nats-io/nats-server/v2↗2022-02-15

▶

GHSA

nats-io/jwt not enforcing checking of Import token permissions↗2022-02-15

▶

OSV

github.com/nats-io/nats-server Import token permissions checking not enforced↗2021-05-21

▶

📋Vendor Advisories

Debian

CVE-2021-3127: golang-github-nats-io-jwt - NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access ...↗2021

▶

💬Community

Bugzilla

CVE-2021-47099 kernel: veth: ensure skb entering GRO are not cloned.↗2024-03-05

▶