CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
88.6%
(This advisory is canonically <https://advisories.nats.io/CVE/CVE-2020-28466.txt>)
An export/import cycle between accounts could crash the nats-server, after consuming CPU and memory.
This issue was fixed publicly in <https://github.com/nats-io/nats-server/pull/1731> in November 2020.
The need to call this out as a security issue was highlighted by snyk.io
and we are grateful for their assistance in doing so.
Organizations which run a NATS service providing access to accounts run by untrusted third parties are affected.
See below for an important caveat if running such a service.
The nats-server could be killed, after consuming resources.
The import cycle requires at least two accounts to work; if you have open account sign-up, then restricting new account sign-up might hinder an attacker.
Upgrade the nats-server.
Running a NATS service which is exposed to untrusted users presents a heightened risk.
Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers.
Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention.
Those who are running such services are encouraged to build regularly from git.
Vendor | Product | Version | CPE |
---|---|---|---|
nats-io | nats-server | * | cpe:2.3:a:nats-io:nats-server:*:*:*:*:*:*:*:* |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
88.6%