CVE-2023-46129
published 2023-10-31CVE-2023-46129: NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.37%
29.2th percentile
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing.
FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | golang-github-nats-io-nkeys | < golang-github-nats-io-nkeys 0.4.6-1 (forky) | golang-github-nats-io-nkeys 0.4.6-1 (forky) |
| debian | nats-server | < golang-github-nats-io-nkeys 0.4.6-1 (forky) | golang-github-nats-io-nkeys 0.4.6-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 2.10.0 < 2.10.4 | 2.10.4 |
| github.com | nats-io_nkeys | >= 0.4.0 < 0.4.6 | 0.4.6 |
| linuxfoundation | nats-server | >= 0 < 2.10.4-1 | 2.10.4-1 |
| linuxfoundation | nats-server | >= 0 < 2.10.4-1 | 2.10.4-1 |
| linuxfoundation | nats-server | >= 2.10.0 < 2.10.4 | 2.10.4 |
| msrc | azl3_telegraf_1.27.3-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_telegraf_1.29.4-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_telegraf_1.27.4-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| nats-io | nkeys | — | — |
| nats-io | nkeys | — | — |
| nats | nkeys | >= 0.4.0 < 0.4.6 | 0.4.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
osv7.5HIGH
vendor_debian7.5LOW
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
nkeys: xkeys Seal encryption used fixed key for all encryption
vendor_redhat·2023-10-29·CVSS 7.5
CVE-2023-46129 [HIGH] CWE-325 nkeys: xkeys Seal encryption used fixed key for all encryption
nkeys: xkeys Seal encryption used fixed key for all encryption
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption
Microsoft
xkeys Seal encryption used fixed key for all encryption
vendor_msrc·2023-10-10·CVSS 7.5
CVE-2023-46129 [HIGH] CWE-321 xkeys Seal encryption used fixed key for all encryption
xkeys Seal encryption used fixed key for all encryption
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https:/
Debian
CVE-2023-46129: golang-github-nats-io-nkeys - NATS.io is a high performance open source pub-sub distributed communication tech...
vendor_debian·2023·CVSS 7.5
CVE-2023-46129 [HIGH] CVE-2023-46129: golang-github-nats-io-nkeys - NATS.io is a high performance open source pub-sub distributed communication tech...
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing. FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CAL
OSV
Curve KeyPairs fail to encrypt in github.com/nats-io/nkeys
osv·2023-11-02
CVE-2023-46129 Curve KeyPairs fail to encrypt in github.com/nats-io/nkeys
Curve KeyPairs fail to encrypt in github.com/nats-io/nkeys
Curve KeyPairs always use the same (all-zeros) key to encrypt data, and provide no security.
OSV
xkeys seal encryption used fixed key for all encryption
osv·2023-10-31
CVE-2023-46129 [HIGH] xkeys seal encryption used fixed key for all encryption
xkeys seal encryption used fixed key for all encryption
## Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts.
## Problem Description
The nkeys library's "xkeys" encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key.
This affects encryption only, not signing.
FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOU
OSV
CVE-2023-46129: NATS
osv·2023-10-31·CVSS 7.5
CVE-2023-46129 [HIGH] CVE-2023-46129: NATS
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing. FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CAL
GHSA
xkeys seal encryption used fixed key for all encryption
ghsa·2023-10-31
CVE-2023-46129 [HIGH] CWE-321 xkeys seal encryption used fixed key for all encryption
xkeys seal encryption used fixed key for all encryption
## Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts.
## Problem Description
The nkeys library's "xkeys" encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key.
This affects encryption only, not signing.
FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOU
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2023/10/31/1https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9https://lists.fedoraproject.org/archives/list/[email protected]/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/https://lists.fedoraproject.org/archives/list/[email protected]/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/http://www.openwall.com/lists/oss-security/2023/10/31/1https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9https://lists.fedoraproject.org/archives/list/[email protected]/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/https://lists.fedoraproject.org/archives/list/[email protected]/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/
2023-10-31
Published