Details of VAR-202103-1287

ID

VAR-202103-1287

CVE

CVE-2021-3127

TITLE

NATS Server Access Control Error Vulnerability

Trust: 1.2

sources: CNVD: CNVD-2021-26378 // CNNVD: CNNVD-202103-1001

DESCRIPTION

NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled. NATS Server and JWT library Contains an improper authentication vulnerability.Information may be obtained. NATS Server is an open source messaging system. The system is mainly used for cloud-native applications, IoT messaging, and microservice architecture. No detailed vulnerability details are currently provided

Trust: 2.79

sources: NVD: CVE-2021-3127 // JVNDB: JVNDB-2021-004667 // CNVD: CNVD-2021-26378 // CNNVD: CNNVD-202103-1001 // VULMON: CVE-2021-3127

IOT TAXONOMY

category:

['IoT']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2021-26378

AFFECTED PRODUCTS

vendor:	nats	model:	jwt library	scope:	lt	version:	2.0.1	Trust: 1.6
vendor:	nats	model:	server	scope:	lt	version:	2.2.0	Trust: 1.0
vendor:	nats	model:	server	scope:	gte	version:	2.0.0	Trust: 1.0
vendor:	nats	model:	server	scope:	lt	version:	2.x	Trust: 0.8
vendor:	nats	model:	jwt library	scope:	-	version:	-	Trust: 0.8
vendor:	nats	model:	server	scope:	eq	version:	2.2.0	Trust: 0.8
vendor:	nats	model:	server	scope:	gte	version:	2.0.0,<2.2.0	Trust: 0.6

sources: CNVD: CNVD-2021-26378 // JVNDB: JVNDB-2021-004667 // NVD: CVE-2021-3127

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2021-3127
value:	HIGH
Trust: 1.0
NVD:	CVE-2021-3127
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2021-26378
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-202103-1001
value:	HIGH
Trust: 0.6
VULMON:	CVE-2021-3127
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2021-3127
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
CNVD:	CNVD-2021-26378
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

nvd@nist.gov:	CVE-2021-3127
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
NVD:	CVE-2021-3127
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: CNVD: CNVD-2021-26378 // VULMON: CVE-2021-3127 // JVNDB: JVNDB-2021-004667 // CNNVD: CNNVD-202103-1001 // NVD: CVE-2021-3127

PROBLEMTYPE DATA

problemtype:	CWE-755	Trust: 1.0
problemtype:	Bad authentication (CWE-863) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2021-004667 // NVD: CVE-2021-3127

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-1001

TYPE

access control error

Trust: 0.6

sources: CNNVD: CNNVD-202103-1001

PATCH

title:	Import token permissions checking not enforced	url:	https://advisories.nats.io/CVE/CVE-2021-3127.txt	Trust: 0.8
title:	Patch for NATS Server Access Control Error Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/257231	Trust: 0.6
title:	NATS Server Fixes for access control error vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=144952	Trust: 0.6
title:	Red Hat: CVE-2021-3127	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_cve_database&qid=CVE-2021-3127	Trust: 0.1

sources: CNVD: CNVD-2021-26378 // VULMON: CVE-2021-3127 // JVNDB: JVNDB-2021-004667 // CNNVD: CNNVD-202103-1001

EXTERNAL IDS

db:	NVD	id:	CVE-2021-3127	Trust: 3.1
db:	JVNDB	id:	JVNDB-2021-004667	Trust: 0.8
db:	CNVD	id:	CNVD-2021-26378	Trust: 0.6
db:	CNNVD	id:	CNNVD-202103-1001	Trust: 0.6
db:	VULMON	id:	CVE-2021-3127	Trust: 0.1

sources: CNVD: CNVD-2021-26378 // VULMON: CVE-2021-3127 // JVNDB: JVNDB-2021-004667 // CNNVD: CNNVD-202103-1001 // NVD: CVE-2021-3127

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2021-3127	Trust: 2.0
url:	https://advisories.nats.io/cve/cve-2021-3127.txt	Trust: 1.7
url:	https://cwe.mitre.org/data/definitions/863.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-3127	Trust: 0.1

sources: CNVD: CNVD-2021-26378 // VULMON: CVE-2021-3127 // JVNDB: JVNDB-2021-004667 // CNNVD: CNNVD-202103-1001 // NVD: CVE-2021-3127

SOURCES

db:	CNVD	id:	CNVD-2021-26378
db:	VULMON	id:	CVE-2021-3127
db:	JVNDB	id:	JVNDB-2021-004667
db:	CNNVD	id:	CNNVD-202103-1001
db:	NVD	id:	CVE-2021-3127

LAST UPDATE DATE

2024-11-23T22:29:17.408000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2021-26378	date:	2021-04-09T00:00:00
db:	VULMON	id:	CVE-2021-3127	date:	2021-03-23T00:00:00
db:	JVNDB	id:	JVNDB-2021-004667	date:	2021-11-25T09:08:00
db:	CNNVD	id:	CNNVD-202103-1001	date:	2022-07-14T00:00:00
db:	NVD	id:	CVE-2021-3127	date:	2024-11-21T06:20:56.710

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2021-26378	date:	2021-04-09T00:00:00
db:	VULMON	id:	CVE-2021-3127	date:	2021-03-16T00:00:00
db:	JVNDB	id:	JVNDB-2021-004667	date:	2021-11-25T00:00:00
db:	CNNVD	id:	CNNVD-202103-1001	date:	2021-03-16T00:00:00
db:	NVD	id:	CVE-2021-3127	date:	2021-03-16T20:15:13.300