Vulnerability Report: GO-2022-0380
- CVE-2020-26892, GHSA-2c64-vj8g-vwrq, and 1 more
- Affects: github.com/nats-io/jwt
- Published: Jul 15, 2022
- Modified: Jun 12, 2023
The AccountClaims.IsRevoked and Export.IsRevoked functions improperly validate expired credentials using the current system time rather than the issue time of the JWT to be tested. These functions cannot be used properly. Newer versions of the jwt package provide an IsClaimRevoked method which performs correct validation. In these versions, the IsRevoked method always return true.
For detailed information about this vulnerability, visit https://advisories.nats.io/CVE/CVE-2020-26892.txt.
Affected Packages
-
PathVersionsSymbols
-
before v1.1.0
Aliases
References
- https://advisories.nats.io/CVE/CVE-2020-26892.txt
- https://github.com/nats-io/jwt/commit/e11ce317263cef69619fc1ca743b195d02aa1d8a
- https://vuln.go.dev/ID/GO-2022-0380.json
Feedback
See anything missing or incorrect?
Suggest an edit to this report.