CVE-2021-3127: 
Linux Debian vulnerability analysis and mitigation

NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 contain an Incorrect Access Control vulnerability (CVE-2021-3127) due to mishandling of Import Token bindings. The vulnerability was discovered and disclosed on March 16, 2021. The issue affects the NATS.io distributed communication technology system, specifically impacting the server component and JWT library used for handling JWTs across NATS.io projects (NATS Advisory).

The vulnerability stems from the JWT library's incorrect validation of bindings in the Import Token, where it only warned on mismatches instead of rejecting the token outright. The CVSS v3.1 base score is 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The vulnerability allows network-based attacks with low attack complexity, requires no privileges or user interaction, and can result in high confidentiality impact (AttackerKB).

The vulnerability allows any account to take an Import token used by other accounts and re-use it to import any Subject from the Exporting account, not just the Subject referenced in the Import Token. Since the NATS account-server system treats account JWTs as semi-public information, attackers can easily enumerate all account JWTs and retrieve all Import Tokens, potentially accessing any Subject from accounts that provide Exported Subjects (NATS Advisory).

The primary mitigation is to upgrade the JWT library to version 2.0.1 or later, and NATS server to version 2.2.0 or later. As a temporary workaround, administrators can deny access to clients to update their account JWT in the account server. Additionally, it's recommended to audit all accounts JWTs to scan for exploit attempts using the provided Python script jwt-audit.py (NATS Advisory).