cbcvebase.
CVE-2022-26652
published 2022-03-10

CVE-2022-26652: NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server…

PriorityP340medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
2.25%
80.7th percentile
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.

Affected

5 ranges
VendorProductVersion rangeFixed in
debiannats-server
github.comnats-io_nats-server_v2>= 2.2.0 < 2.7.42.7.4
github.comnats-io_nats-streaming-server>= 0.15.0 < 0.24.30.24.3
linuxfoundationnats-server>= 2.2.0 < 2.7.42.7.4
natsnats_streaming_server>= 0.15.0 < 0.24.30.24.3

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
ghsa6.5MEDIUM
osv6.5MEDIUM
vendor_debian6.5LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.