CVE-2022-26652 — Path Traversal in Nats-io Nats-server V2

CWE-22 — Path Traversal5 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.7%

top 28.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Nats-io Nats-server V2 Github.com Nats-io Nats-streaming-server Linuxfoundation Nats-server +2 more

Timeline

PublishedMar 10

Latest updateAug 21

Description

NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages5 packages

▶NVDnats/nats_streaming_server0.15.0 — 0.24.3

▶Gogithub.com/nats-io_nats-streaming-server0.15.0 — 0.24.3

▶NVDlinuxfoundation/nats-server2.2.0 — 2.7.4

▶Gogithub.com/nats-io_nats-server_v22.2.0 — 2.7.4

▶debiandebian/nats-server

🔴Vulnerability Details

OSV

Arbitrary file write in nats-server in github.com/nats-io/nats-server↗2024-08-21

▶

GHSA

Arbitrary file write in nats-server↗2022-03-10

▶

OSV

Arbitrary file write in nats-server↗2022-03-10

▶

📋Vendor Advisories

Debian

CVE-2022-26652: nats-server - NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via...↗2022

▶