6 matches found
nats-io/jwt not enforcing checking of Import token permissions
This advisory is canonically Problem Description The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyon...
github.com/nats-io/nats-server Import token permissions checking not enforced
This advisory is canonically Problem Description The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyon...
GHSA-J756-F273-XHP4 github.com/nats-io/nats-server Import token permissions checking not enforced
This advisory is canonically Problem Description The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyon...
DEBIAN-CVE-2021-3127
NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled...
CVE-2021-3127
The CVE concerns NATS Server 2.x (pre-2.2.0) and the JWT library (pre-2.0.1) where Import Token bindings were mishandled, causing Incorrect Access Control. The root cause is improper validation of Import Token bindings, allowing cross-account access to imported subjects. Affected versions include...
CVE-2021-3127
NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled...