cbcvebase.
CVE-2022-29946
published 2024-07-11

CVE-2022-29946: NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to…

PriorityP339medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.48%
37.7th percentile
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

Affected

6 ranges
VendorProductVersion rangeFixed in
debiannats-server< nats-server 2.9.8-1 (bookworm)nats-server 2.9.8-1 (bookworm)
github.comnats-io_nats-server_v2>= 0 < 2.8.22.8.2
github.comnats-io_nats-streaming-server>= 0 < 0.24.60.24.6
linuxfoundationnats-server>= 0 < 2.9.8-12.9.8-1
linuxfoundationnats-server>= 0 < 2.9.8-12.9.8-1
linuxfoundationnats-server>= 0 < 2.9.8-12.9.8-1

CVSS provenance

nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
osv6.3MEDIUM
vendor_debian6.3MEDIUM
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.