CVE-2021-3127

Name of the Vulnerable Software and Affected Versions NATS Server versions 2.0.0 through 2.1.9 JWT library versions prior to 2.0.1

Description The issue is related to Incorrect Access Control in the NATS server and JWT library. The validation of Import token bindings incorrectly warns on mismatches instead of rejecting the token. This allows any account to take an Import token used by another account and reuse it, enabling access to any Subject from the Exporting account. In deployments with untrusted accounts able to update the Account Server with imports, a malicious account can access any Subject from an account that provides Exported Subjects.

Recommendations For NATS Server versions 2.0.0 through 2.1.9, upgrade to version 2.2.0 or later. For JWT library versions prior to 2.0.1, upgrade the JWT dependency in any application using it to version 2.0.1 or later. As a temporary workaround, consider denying access to clients to update their account JWT in the account server. Audit all accounts JWTs to scan for exploit attempts.