{"id":"GO-2022-0386","summary":"Import token permissions checking not enforced in github.com/nats-io/jwt","details":"Import tokens valid for one account may be used for any other account.\n\nValidation of Import token bindings incorrectly warns on mismatches, rather than rejecting the Goken. This permits a token for one account to be used for any other account.","aliases":["BIT-nats-2021-3127","CVE-2021-3127","GHSA-62mh-w5cv-p88c","GHSA-9r5x-fjv3-q6h4","GHSA-j756-f273-xhp4"],"modified":"2026-02-04T03:17:43.247203Z","published":"2022-07-01T20:11:22Z","related":["CGA-3xwf-56gh-qxqq"],"database_specific":{"review_status":"REVIEWED","url":"https://pkg.go.dev/vuln/GO-2022-0386"},"references":[{"type":"ADVISORY","url":"https://advisories.nats.io/CVE/CVE-2021-3127.txt"},{"type":"FIX","url":"https://github.com/nats-io/jwt/pull/149"}],"affected":[{"package":{"name":"github.com/nats-io/jwt","ecosystem":"Go","purl":"pkg:golang/github.com/nats-io/jwt"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"1.2.3-0.20210314221642-a826c77dc9d2"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/nats-io/jwt","symbols":["Account.Validate","AccountClaims.Validate","ActivationClaims.Validate","Import.Validate","Imports.Validate"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0386.json"}},{"package":{"name":"github.com/nats-io/jwt/v2","ecosystem":"Go","purl":"pkg:golang/github.com/nats-io/jwt/v2"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"2.0.1"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/nats-io/jwt/v2","symbols":["Account.Validate","AccountClaims.Validate","Import.Validate","Imports.Validate"]}]},"database_specific":{"source":"https://vuln.go.dev/ID/GO-2022-0386.json"}}],"schema_version":"1.7.3"}