Github.Com Nats-Io Jwt vulnerabilities

CVE-2021-3127 [HIGH] CWE-863 nats-io/jwt not enforcing checking of Import token permissions nats-io/jwt not enforcing checking of Import token permissions (This advisory is canonically ) ## Problem Description The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyone can import the relevant subjects, and

CVE-2020-26892 [CRITICAL] CWE-798 Incorrect handling of credential expiry by /nats-io/nats-server Incorrect handling of credential expiry by /nats-io/nats-server ## Problem Description NATS nats-server through 2020-10-07 has Incorrect Access Control because of how expired credentials are handled. The NATS accounts system has expiration timestamps on credentials; the library had an API which encouraged misuse and an `IsRevoked()` method which misused its own API. A new `IsClaimRevoked()` meth

CVE-2020-26521 [HIGH] CWE-476 Nil dereference in NATS JWT, DoS of nats-server Nil dereference in NATS JWT, DoS of nats-server ## Problem Description The NATS account system has an Operator trusted by the servers, which signs Accounts, and each Account can then create and sign Users within their account. The Operator should be able to safely issue Accounts to other entities which it does not fully trust. A malicious Account could create and sign a User JWT with a state not created by the norma