Vulnerability Report: GO-2022-0380

CVE-2020-26892, GHSA-2c64-vj8g-vwrq, and 1 more
Affects: github.com/nats-io/jwt
Published: Jul 15, 2022
Modified: Jun 12, 2023

The AccountClaims.IsRevoked and Export.IsRevoked functions improperly validate expired credentials using the current system time rather than the issue time of the JWT to be tested. These functions cannot be used properly. Newer versions of the jwt package provide an IsClaimRevoked method which performs correct validation. In these versions, the IsRevoked method always return true.

For detailed information about this vulnerability, visit https://advisories.nats.io/CVE/CVE-2020-26892.txt.

Affected Packages

Path

Versions

Symbols
github.com/nats-io/jwt

before v1.1.0
- AccountClaims.IsRevoked
- Export.IsRevoked

Aliases

CVE-2020-26892
GHSA-2c64-vj8g-vwrq
GHSA-4w5x-x539-ppf5

References

https://advisories.nats.io/CVE/CVE-2020-26892.txt
https://github.com/nats-io/jwt/commit/e11ce317263cef69619fc1ca743b195d02aa1d8a
https://vuln.go.dev/ID/GO-2022-0380.json

Feedback

See anything missing or incorrect? Suggest an edit to this report.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL