CVE-2023-47090
published 2023-10-30CVE-2023-47090: NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for…
PriorityP347medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.66%
47.0th percentile
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | nats-server | < nats-server 2.10.3-1 (forky) | nats-server 2.10.3-1 (forky) |
| github.com | nats-io_nats-server_v2 | >= 2.10.0 < 2.10.2 | 2.10.2 |
| github.com | nats-io_nats-server_v2 | >= 2.2.0 < 2.9.23 | 2.9.23 |
| linuxfoundation | nats-server | >= 0 < 2.10.3-1 | 2.10.3-1 |
| linuxfoundation | nats-server | >= 0 < 2.10.3-1 | 2.10.3-1 |
| linuxfoundation | nats-server | >= 2.10.0 < 2.10.2 | 2.10.2 |
| linuxfoundation | nats-server | >= 2.2.0 < 2.9.23 | 2.9.23 |
| msrc | azl3_telegraf_1.27.3-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_telegraf_1.29.4-1_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_telegraf_1.28.5-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_msrc6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-47090: NATS nats-server before 2
osv·2023-10-30·CVSS 6.5
CVE-2023-47090 [MEDIUM] CVE-2023-47090: NATS nats-server before 2
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
OSV
Authorization bypass in github.com/nats-io/nats-server/v2
osv·2023-10-24
CVE-2023-47090 Authorization bypass in github.com/nats-io/nats-server/v2
Authorization bypass in github.com/nats-io/nats-server/v2
Without any authorization rules in the nats-server, users can connect without authentication.
Before nats-server 2.2.0, all authentication and authorization rules for a nats-server lived in an "authorization" block, defining users. With nats-server 2.2.0 all users live inside accounts. When using the authorization block, whose syntax predates this, those users will be placed into the implicit global account, "$G". Users inside accounts go into the newer "accounts" block.
If an "accounts" block is defined, in simple deployment scenarios this is often used only to enable client access to the system account. When the only account added is the system account "$SYS", the nats-server would create an implicit user in "$G" and set it as
OSV
NATS.io: Adding accounts for just the system account adds auth bypass
osv·2023-10-19
CVE-2023-47090 [HIGH] NATS.io: Adding accounts for just the system account adds auth bypass
NATS.io: Adding accounts for just the system account adds auth bypass
## Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
NATS users exist within accounts, and once using accounts, the old authorization block is not applicable.
## Problem Description
Without any authorization rules in the nats-server, users can connect without authentication.
Before nats-server 2.2.0, all authentication and authorization rules for a nats-server lived in an "authorization" block, defining users. With nats-server 2.2.0 all users live inside accounts. When using the authorization block, whose syntax predates this, those users will be placed into the implicit global account, "$G". Users inside acc
GHSA
NATS.io: Adding accounts for just the system account adds auth bypass
ghsa·2023-10-19
CVE-2023-47090 [HIGH] CWE-305 NATS.io: Adding accounts for just the system account adds auth bypass
NATS.io: Adding accounts for just the system account adds auth bypass
## Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
NATS users exist within accounts, and once using accounts, the old authorization block is not applicable.
## Problem Description
Without any authorization rules in the nats-server, users can connect without authentication.
Before nats-server 2.2.0, all authentication and authorization rules for a nats-server lived in an "authorization" block, defining users. With nats-server 2.2.0 all users live inside accounts. When using the authorization block, whose syntax predates this, those users will be placed into the implicit global account, "$G". Users inside acc
Microsoft
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access even when the inten
vendor_msrc·2023-10-10·CVSS 6.5
CVE-2023-47090 [MEDIUM] CWE-863 NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access even when the inten
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See
Debian
CVE-2023-47090: nats-server - NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication by...
vendor_debian·2023·CVSS 6.5
CVE-2023-47090 [MEDIUM] CVE-2023-47090: nats-server - NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication by...
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
Scope: local
bookworm: open
forky: resolved (fixed in 2.10.3-1)
sid: resolved (fixed in 2.10.3-1)
trixie: resolved (fixed in 2.10.3-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2023/10/30/1https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23https://www.openwall.com/lists/oss-security/2023/10/13/2http://www.openwall.com/lists/oss-security/2023/10/30/1https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23https://www.openwall.com/lists/oss-security/2023/10/13/2
2023-10-30
Published