CVE-2020-26892

Name of the Vulnerable Software and Affected Versions NATS nats-server versions 2.0.0 through 2.1.8 JWT library versions prior to 1.1.0

Description The issue is related to Incorrect Access Control in the JWT library used by NATS nats-server, specifically in how expired credentials are handled. The IsRevoked and Export.IsRevoked functions improperly validate expired credentials using the current system time rather than the issue time of the JWT. This results in time-based credential expiry not working. A new IsClaimRevoked method has been introduced with correct handling, and the nats-server has been updated to use this method. The old IsRevoked method now always returns true, and other client code will have to be updated to avoid calling it.

Recommendations For NATS nats-server versions 2.0.0 through 2.1.8, upgrade to version 2.1.9 or later. For JWT library versions prior to 1.1.0, upgrade the JWT dependency to version 1.1.0 or later. As a temporary workaround, consider having credentials that only expire after fixes can be deployed. Avoid using the IsRevoked method in the affected JWT library until the issue is resolved.