The JWT library in NATS nats-server before 2.1.9 allows a denial of service (a nil dereference in Go code).
Weakness
The product dereferences a pointer that it expects to be valid but is NULL.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Nats-server | Linuxfoundation | * | 2.1.9 (excluding) |
| Golang-github-nats-io-jwt | Ubuntu | focal | * |
| Golang-github-nats-io-jwt | Ubuntu | groovy | * |
| Golang-github-nats-io-jwt | Ubuntu | hirsute | * |
| Golang-github-nats-io-jwt | Ubuntu | impish | * |
| Golang-github-nats-io-jwt | Ubuntu | kinetic | * |
| Golang-github-nats-io-jwt | Ubuntu | lunar | * |
| Golang-github-nats-io-jwt | Ubuntu | mantic | * |
| Golang-github-nats-io-jwt | Ubuntu | oracular | * |
| Golang-github-nats-io-jwt | Ubuntu | plucky | * |
| Golang-github-nats-io-jwt | Ubuntu | trusty | * |
Potential Mitigations
References
- http://www.openwall.com/lists/oss-security/2020/11/02/2
- https://github.com/nats-io/nats-server/commits/master
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT67XCLIIBYRT762SVFBYFFTQFVSM3SI/
- http://www.openwall.com/lists/oss-security/2020/11/02/2
- https://github.com/nats-io/nats-server/commits/master
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT67XCLIIBYRT762SVFBYFFTQFVSM3SI/