CVE-2022-24450 — Missing Authorization in Nats-io Nats-server V2

CWE-862 — Missing Authorization CWE-270 — Privilege Context Switching Error CWE-863 — Incorrect Authorization6 documents5 sources

Severity

8.8HIGHNVD

EPSS

0.5%

top 32.76%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Nats-io Nats-server V2 Github.com Nats-io Nats-streaming-server Linuxfoundation Nats-server +2 more

Timeline

PublishedFeb 8

Latest updateAug 21

Description

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶NVDnats/nats_streaming_server0.15.0 — 0.24.1

▶NVDlinuxfoundation/nats-server2.0.0 — 2.7.2

▶Gogithub.com/nats-io_nats-server_v22.0.0 — 2.7.2

▶Gogithub.com/nats-io_nats-streaming-server0.15.0 — 0.24.1

▶debiandebian/nats-server

🔴Vulnerability Details

OSV

Incorrect Authorization in NATS nats-server in github.com/nats-io/nats-server↗2024-08-21

▶

OSV

Incorrect Authorization in NATS nats-server↗2022-02-08

▶

GHSA

Incorrect Authorization in NATS nats-server↗2022-02-08

▶

📋Vendor Advisories

Red Hat

nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account↗2022-02-07

▶

Debian

CVE-2022-24450: nats-server - NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated us...↗2022

▶