Lucene search

GoogleOSV:GO-2022-0386

HistoryJul 01, 2022 - 8:11 p.m.

Import token permissions checking not enforced in github.com/nats-io/jwt

2022-07-0120:11:22

Google

osv.dev

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

65.8%

JSON

Import tokens valid for one account may be used for any other account.

Validation of Import token bindings incorrectly warns on mismatches, rather than rejecting the Goken. This permits a token for one account to be used for any other account.

CPENameOperatorVersion
github.com/nats-io/jwtlt1.2.3-0.20210314221642-a826c77dc9d2
github.com/nats-io/jwt/v2lt2.0.1

CPE	Name	Operator	Version
	github.com/nats-io/jwt	lt	1.2.3-0.20210314221642-a826c77dc9d2
	github.com/nats-io/jwt/v2	lt	2.0.1

References

advisories.nats.io/CVE/CVE-2021-3127.txt

github.com/nats-io/jwt/pull/149

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.003 Low

EPSS

Percentile

65.8%

JSON

Related for OSV:GO-2022-0386