CVE-2022-29946 — Incorrect Authorization in Nats-io Nats-server V2

CWE-863 — Incorrect Authorization CWE-284 — Improper Access Control7 documents5 sources

Severity

6.3MEDIUMNVD

EPSS

0.1%

top 71.08%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linuxfoundation Nats-server Github.com Nats-io Nats-server V2 Github.com Nats-io Nats-streaming-server +1 more

Timeline

PublishedJul 11

Latest updateJul 12

Description

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LExploitability: 2.8 | Impact: 3.4

Affected Packages4 packages

▶Gogithub.com/nats-io_nats-streaming-server< 0.24.6

▶debiandebian/nats-server< nats-server 2.9.8-1 (bookworm)

▶Gogithub.com/nats-io_nats-server_v2< 2.8.2

▶Debianlinuxfoundation/nats-server< 2.9.8-1+2

🔴Vulnerability Details

OSV

NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server↗2024-07-12

▶

OSV

CVE-2022-29946: NATS↗2024-07-11

▶

OSV

NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects↗2024-07-11

▶

GHSA

NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects↗2024-07-11

▶

📋Vendor Advisories

Red Hat

nats-server: Negative user permissions not enforced in one scenario↗2024-07-11

▶

Debian

CVE-2022-29946: nats-server - NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow ...↗2022

▶