CVE-2022-29946
published 2024-07-11CVE-2022-29946: NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to…
PriorityP339medium6.3CVSS 3.1
AVNACLPRLUINSUCLILAL
EPSS
0.48%
37.7th percentile
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.9.8-1 (bookworm) | nats-server 2.9.8-1 (bookworm) |
| github.com | nats-io_nats-server_v2 | >= 0 < 2.8.2 | 2.8.2 |
| github.com | nats-io_nats-streaming-server | >= 0 < 0.24.6 | 0.24.6 |
| linuxfoundation | nats-server | >= 0 < 2.9.8-1 | 2.9.8-1 |
| linuxfoundation | nats-server | >= 0 < 2.9.8-1 | 2.9.8-1 |
| linuxfoundation | nats-server | >= 0 < 2.9.8-1 | 2.9.8-1 |
CVSS provenance
nvdv3.16.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
osv6.3MEDIUM
vendor_debian6.3MEDIUM
vendor_redhat6.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server
osv·2024-07-12
CVE-2022-29946 NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server
NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server
NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects in github.com/nats-io/nats-server
OSV
CVE-2022-29946: NATS
osv·2024-07-11·CVSS 6.3
CVE-2022-29946 [MEDIUM] CVE-2022-29946: NATS
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.
OSV
NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects
osv·2024-07-11
CVE-2022-29946 [HIGH] NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects
NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.
GHSA
NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects
ghsa·2024-07-11
CVE-2022-29946 [HIGH] CWE-863 NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects
NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.
Red Hat
nats-server: Negative user permissions not enforced in one scenario
vendor_redhat·2024-07-11·CVSS 6.3
CVE-2022-29946 [MEDIUM] CWE-284 nats-server: Negative user permissions not enforced in one scenario
nats-server: Negative user permissions not enforced in one scenario
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.
A flaw was found in the NATS Server and NATS Streaming Server. Affected versions of this package could allow a remote attacker to bypass security restrictions due to a failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.
Mitigation: Recraft user permission rules to only add ac
Debian
CVE-2022-29946: nats-server - NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow ...
vendor_debian·2022·CVSS 6.3
CVE-2022-29946 [MEDIUM] CVE-2022-29946: nats-server - NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow ...
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.
Scope: local
bookworm: resolved (fixed in 2.9.8-1)
forky: resolved (fixed in 2.9.8-1)
sid: resolved (fixed in 2.9.8-1)
trixie: resolved (fixed in 2.9.8-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-07-11
Published