4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
34.5%
(This document is canonically: <https://advisories.nats.io/CVE/CVE-2022-26652.txt>)
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
JetStream is the optional RAFT-based resilient persistent feature of NATS.
The JetStream streams can be backed up and restored via NATS. The backup format is a tar archive file. Inadequate checks on the filenames within the archive file permit a so-called “Zip Slip” attack in the stream restore.
NATS nats-server through 2022-03-09 (fixed in release 2.7.4) did not correctly sanitize elements of the archive file, thus a user of NATS
could cause the NATS server to write arbitrary content to an attacker-controlled filename.
NATS Server:
NATS Streaming Server
Upgrade the NATS server to at least 2.7.4.
We fully support the util/nats-server-hardened.service configuration for running a NATS server and encourage this approach.
This issue was reported (on 2022-03-07) to the NATS Maintainers by
Yiming Xiang, TIANJI LAB of NSFOCUS.
Thank you / 谢谢你!
CPE | Name | Operator | Version |
---|---|---|---|
github.com/nats-io/nats-streaming-server | lt | 0.24.3 | |
github.com/nats-io/nats-server/v2 | lt | 2.7.4 |
www.openwall.com/lists/oss-security/2022/03/10/1
advisories.nats.io/CVE/CVE-2022-26652.txt
github.com/advisories/GHSA-6h3m-36w8-hv68
github.com/nats-io/nats-server/pull/2917
github.com/nats-io/nats-server/releases
github.com/nats-io/nats-server/releases/tag/v2.7.4
github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68
github.com/nats-io/nats-streaming-server/releases/tag/v0.24.3
nvd.nist.gov/vuln/detail/CVE-2022-26652
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
0.001 Low
EPSS
Percentile
34.5%