CVE-2020-26892

moderate-risk

Published 2020-11-06

The JWT library in NATS nats-server before 2.1.9 has Incorrect Access Control because of how expired credentials are handled.

Do I need to act?

0.55% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Nats-Server

Fedora

Fedoraproject Linuxfoundation

Patch https://github.com/nats-io/nats-server/commits/master

Mailing List https://www.openwall.com/lists/oss-security/2020/11/02/2

Patch https://github.com/nats-io/nats-server/commits/master

Mailing List https://www.openwall.com/lists/oss-security/2020/11/02/2

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 2/34 · Minimal

Exposure 7/34 · Low