Date: Mon, 15 Mar 2021 22:24:08 -0400 From: Phil Pennock <oss-security-phil@...dhuis.org> To: oss-security@...ts.openwall.com Cc: Phil Pennock <pdp@...adia.com> Subject: [CVE-2020-28466][CVE-2021-3127] NATS.io vulnerabilities Folks, Two new CVEs for the NATS project for issues fixed with the 2.2.0 release. The full text of the advisories should be attached. These, and other advisories, can be found at <https://advisories.nats.io/>. * CVE-2020-28466 + import loops between accounts, expressed in the account JWT, could DoS the server + this was fixed in public git some time ago without initially thinking of the security impact, this was the first release since then + realistically, the current situation is that if you have untrusted third parties with control over their account JWTs, then while we'll hurry security releases for severe flaws (compromise, disclosure), for DoS protection folks need to follow closer to git mainline * CVE-2021-3127 + this one is far more serious: information disclosure between accounts + something which should have been an error was a disregarded warning, letting people reuse binding tokens to bypass access controls on data exports from an account because the binding was not enforced + the bug is in the JWT library, the current NATS server has the fix in as as a dependency; the advisory includes a Python script which can be pointed at your account server's account pack URL, or a pack on local disk, to audit all the accounts to find instances of someone exploiting this Regards, -Phil Pennock View attachment "CVE-2020-28466.txt" of type "text/plain" (1969 bytes) View attachment "CVE-2021-3127.txt" of type "text/plain" (7627 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.