CVE-2023-46129 — Use of Hard-coded Cryptographic Key in Nats-io Nats-server V2

CWE-321 — Use of Hard-coded Cryptographic Key CWE-325 — Missing Cryptographic Step8 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 69.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Linuxfoundation Nats-server Github.com Nats-io Nats-server V2 Github.com Nats-io Nkeys +11 more

Timeline

PublishedOct 31

Latest updateNov 2

Description

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handli…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages15 packages

▶NVDnats/nkeys0.4.0 — 0.4.6

▶Gogithub.com/nats-io_nkeys0.4.0 — 0.4.6

▶debiandebian/golang-github-nats-io-nkeys< golang-github-nats-io-nkeys 0.4.6-1 (forky)

▶CVEListV5nats-io/nkeys>= 0.4.0, < 0.4.6, >= 2.10.0, < 2.10.4+1

▶debiandebian/nats-server< golang-github-nats-io-nkeys 0.4.6-1 (forky)

🔴Vulnerability Details

OSV

Curve KeyPairs fail to encrypt in github.com/nats-io/nkeys↗2023-11-02

▶

OSV

xkeys seal encryption used fixed key for all encryption↗2023-10-31

▶

OSV

CVE-2023-46129: NATS↗2023-10-31

▶

GHSA

xkeys seal encryption used fixed key for all encryption↗2023-10-31

▶

📋Vendor Advisories

Red Hat

nkeys: xkeys Seal encryption used fixed key for all encryption↗2023-10-29

▶

Microsoft

xkeys Seal encryption used fixed key for all encryption↗2023-10-10

▶

Debian

CVE-2023-46129: golang-github-nats-io-nkeys - NATS.io is a high performance open source pub-sub distributed communication tech...↗2023

▶