critical
9.8
CWE
798
Advisory Published
Advisory Published
Updated

CVE-2020-26892

First published: Fri Nov 06 2020(Updated: )

## Problem Description NATS nats-server through 2020-10-07 has Incorrect Access Control because of how expired credentials are handled. The NATS accounts system has expiration timestamps on credentials; the <https://github.com/nats-io/jwt> library had an API which encouraged misuse and an `IsRevoked()` method which misused its own API. A new `IsClaimRevoked()` method has correct handling and the nats-server has been updated to use this. The old `IsRevoked()` method now always returns true and other client code will have to be updated to avoid calling it. The CVE identifier should cover any application using the old JWT API, where the nats-server is one of those applications. ## Affected versions #### JWT library * all versions prior to 1.1.0 * fixed after nats-io/jwt PR 103 landed (2020-10-06) #### NATS Server * Version 2 prior to 2.1.9 + 2.0.0 through and including 2.1.8 are vulnerable. * fixed with nats-io/nats-server PRs 1632, 1635, 1645 ## Impact Time-based credential expiry did not work. ## Workaround Have credentials which only expire after fixes can be deployed. ## Solution Upgrade the JWT dependency in any application using it. Upgrade the NATS server if using NATS Accounts.

Credit: cve@mitre.org cve@mitre.org

Affected SoftwareAffected VersionHow to fix
go/github.com/nats-io/nats-server/v2<2.1.9
2.1.9
go/github.com/nats-io/jwt<1.1.0
1.1.0
Linuxfoundation Nats-server<2.1.9
Fedoraproject Fedora=33
<2.1.9
=33

Remedy

https://github.com/nats-io/nats-server/commits/master

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2020-26892?

    The severity of CVE-2020-26892 is critical with a CVSS score of 9.8.

  • How does CVE-2020-26892 impact NATS nats-server?

    CVE-2020-26892 impacts NATS nats-server through 2020-10-07 by allowing incorrect access control due to how expired credentials are handled.

  • Which software versions are affected by CVE-2020-26892?

    The affected software versions are nats-server/v2 up to 2.1.9 and jwt up to 1.1.0.

  • Where can I find more information about CVE-2020-26892?

    More information about CVE-2020-26892 can be found in the references section of the advisory.

  • How can I mitigate the vulnerability CVE-2020-26892?

    To mitigate the vulnerability CVE-2020-26892, it is recommended to update nats-server/v2 to version 2.1.9 and jwt to version 1.1.0.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203