Lucene search
+L

559 matches found

OSV
OSV
added 2022/02/11 11:42 p.m.34 views

GHSA-4W5X-X539-PPF5 Incorrect handling of credential expiry by /nats-io/nats-server

Problem Description NATS nats-server through 2020-10-07 has Incorrect Access Control because of how expired credentials are handled. The NATS accounts system has expiration timestamps on credentials; the library had an API which encouraged misuse and an IsRevoked method which misused its own API....

9.8CVSS9.5AI score0.02054EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2022/02/09 3:45 p.m.34 views

CVE-2022-24450

A flaw was found in the NATS nats-server in an experimental feature that provides dynamically provisioned sandbox accounts that do not check the clients’ authorization. This flaw allows an attacker to take advantage of its valid account and switch over to another existing account without further...

9CVSS4.1AI score0.01305EPSS
Exploits0References4
Veracode
Veracode
added 2022/02/09 9:29 a.m.22 views

Privilege Escalation

github.com/nats-io/nats-server is vulnerable to privilege escalation. The vulnerability exists due to the weak permission in the "dynamically provisioned sandbox accounts" feature., allowing an unauthorized user to access System account...

8.8CVSS5AI score0.01305EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2022/02/08 5:23 p.m.27 views

Incorrect Authorization in NATS nats-server

This advisory is canonically Problem Description NATS nats-server through 2022-02-04 has Incorrect Access Control, with unchecked ability for clients to authorize into any account, because of a coding error in a long-extant experimental feature. A client crafting the initial protocol-level...

9CVSS1.1AI score0.01305EPSS
Exploits0References5Affected Software2
OSV
OSV
added 2022/02/08 5:23 p.m.240 views

GHSA-G6W6-R76C-28J7 Incorrect Authorization in NATS nats-server

This advisory is canonically Problem Description NATS nats-server through 2022-02-04 has Incorrect Access Control, with unchecked ability for clients to authorize into any account, because of a coding error in a long-extant experimental feature. A client crafting the initial protocol-level...

8.8CVSS8.7AI score0.01305EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2022/02/08 2:15 a.m.8 views

CVE-2022-24450

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature...

9CVSS7.3AI score0.01305EPSS
Exploits0References3
NVD
NVD
added 2022/02/08 2:15 a.m.39 views

CVE-2022-24450

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature...

9CVSS0.01305EPSS
Exploits0References2
Prion
Prion
added 2022/02/08 2:15 a.m.16 views

Design/Logic Flaw

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature...

9CVSS9.2AI score0.01305EPSS
Exploits0References2Affected Software2
CVE
CVE
added 2022/02/08 1:14 a.m.198 views

CVE-2022-24450

CVE-2022-24450 affects NATS nats-server up to and including 2.7.1, with a root cause in an experimental feature for dynamically provisioned sandbox accounts that allowed any authenticated user to switch into any account, including the System account. The impact is high (privilege escalation and f...

9CVSS8.5AI score0.01305EPSS
Exploits0References2Affected Software2
Cvelist
Cvelist
added 2022/02/08 1:14 a.m.51 views

CVE-2022-24450

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature...

8.9AI score0.01305EPSS
Exploits0References2
OSV
OSV
added 2022/02/08 1:14 a.m.26 views

CVE-2022-24450

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature...

9CVSS8.9AI score0.01305EPSS
Exploits0References4
Debian CVE
Debian CVE
added 2022/02/08 1:14 a.m.70 views

CVE-2022-24450

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature...

9CVSS8.8AI score0.01305EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2022/02/08 12:0 a.m.3 views

PT-2022-16706 · Unknown · Nats Server +1

Name of the Vulnerable Software and Affected Versions: NATS Server versions prior to 2.7.2 NATS Streaming Server versions prior to 0.24.1 Description: The issue is related to Incorrect Access Control in NATS nats-server, where any authenticated user can obtain the privileges of the System account...

9CVSS9.1AI score0.01305EPSS
Exploits0References14
CNNVD
CNNVD
added 2022/02/08 12:0 a.m.14 views

Nats-Server 访问控制错误漏洞

Nats-Server is a high-performance server for Nats.io, cloud and edge native messaging systems. An access control error vulnerability exists in nats-server, which arises from the product allowing any authenticated user to gain privileges on the System account by abusing the "dynamically provisione...

9CVSS7.9AI score0.01305EPSS
Exploits0References12
Github Security Blog
Github Security Blog
added 2021/05/21 4:22 p.m.40 views

github.com/nats-io/nats-server Import token permissions checking not enforced

This advisory is canonically Problem Description The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyon...

7.5CVSS7.4AI score0.0146EPSS
Exploits1References6Affected Software1
OSV
OSV
added 2021/05/21 4:22 p.m.22 views

GHSA-J756-F273-XHP4 github.com/nats-io/nats-server Import token permissions checking not enforced

This advisory is canonically Problem Description The NATS server provides for Subjects which are namespaced by Account; all Subjects are supposed to be private to an account, with an Export/Import system used to grant cross-account access to some Subjects. Some Exports are public, such that anyon...

7.5CVSS7.4AI score0.0146EPSS
Exploits1References6
Github Security Blog
Github Security Blog
added 2021/05/21 4:22 p.m.46 views

Import loops in account imports, nats-server DoS

This advisory is canonically Problem Description An export/import cycle between accounts could crash the nats-server, after consuming CPU and memory. This issue was fixed publicly in in November 2020. The need to call this out as a security issue was highlighted by snyk.io and we are grateful for...

7.5CVSS1.3AI score0.03658EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2021/05/21 4:22 p.m.14 views

GHSA-GWJ5-3VFQ-Q992 Import loops in account imports, nats-server DoS

This advisory is canonically Problem Description An export/import cycle between accounts could crash the nats-server, after consuming CPU and memory. This issue was fixed publicly in in November 2020. The need to call this out as a security issue was highlighted by snyk.io and we are grateful for...

7.5CVSS7.5AI score
Exploits0References1
Github Security Blog
Github Security Blog
added 2021/05/21 4:22 p.m.57 views

Nil dereference in NATS JWT causing DoS of nats-server

This advisory is canonically Problem Description The NATS account system has an Operator trusted by the servers, which signs Accounts, and each Account can then create and sign Users within their account. The Operator should be able to safely issue Accounts to other entities which it does not ful...

7.5CVSS7.5AI score0.0209EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2021/05/21 4:22 p.m.27 views

GHSA-HMM9-R2M2-QG9W Nil dereference in NATS JWT causing DoS of nats-server

This advisory is canonically Problem Description The NATS account system has an Operator trusted by the servers, which signs Accounts, and each Account can then create and sign Users within their account. The Operator should be able to safely issue Accounts to other entities which it does not ful...

7.5CVSS7.4AI score0.0209EPSS
Exploits0References7
Rows per page
Query Builder