CVE-2021-3127
Publication date 16 March 2021
Last updated 24 June 2025
Ubuntu priority
Description
NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| golang-github-nats-io-jwt | 25.10 questing |
Not affected
|
| 25.04 plucky |
Not affected
|
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Vulnerable
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
7.5 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
References
Other references
- https://www.openwall.com/lists/oss-security/2021/03/16/1
- https://www.openwall.com/lists/oss-security/2021/03/16/1/2
- https://advisories.nats.io/CVE/CVE-2021-3127.txt
- https://www.cve.org/CVERecord?id=CVE-2021-3127
- https://github.com/nats-io/jwt/security/advisories/GHSA-62mh-w5cv-p88c
- https://github.com/nats-io/jwt/pull/149