Lucene search

Veracode Vulnerability DatabaseVERACODE:34120

HistoryFeb 09, 2022 - 9:29 a.m.

Privilege Escalation

2022-02-0909:29:16

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

JSON

github.com/nats-io/nats-server is vulnerable to privilege escalation. The vulnerability exists due to the weak permission in the “dynamically provisioned sandbox accounts” feature., allowing an unauthorized user to access System account.

CPENameOperatorVersion
github.com/nats-io/nats-serverlev2.7.2
github.com/nats-io/nats-serverlev2.7.2

CPE	Name	Operator	Version
	github.com/nats-io/nats-server	le	v2.7.2
	github.com/nats-io/nats-server	le	v2.7.2

References

advisories.nats.io/CVE/CVE-2022-24450.txt

github.com/golang/vulndb/issues/307

github.com/nats-io/nats-server/commit/55b7f11c9a4699951300093a3eb4fc98d49061e1

github.com/nats-io/nats-server/pull/2847

github.com/nats-io/nats-server/releases/tag/v2.7.2

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

JSON

Related for VERACODE:34120