Gerardo Iglesias

**Name of the Vulnerable Software and Affected Versions** NATS nats-server versions 2.2.0 through 2.7.4 **Description** The issue allows directory traversal due to an unintended path to a management action from a management account. This is caused by an unintended path in the management account of the NATS nats-server. **Recommendations** For versions 2.2.0 through 2.7.4, update to a version that fixes the directory traversal issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NATS Server versions prior to 2.7.2 NATS Streaming Server versions prior to 0.24.1 **Description** The issue is related to Incorrect Access Control in NATS nats-server, where any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature. This is due to a coding error in an experimental feature that allowed clients to authorize into any account. A client can craft the initial protocol-level handshake to switch into any other account, including the System account, which controls nats-server core operations. For deployments not using multi-tenancy, normal users can choose to be in the System account. **Recommendations** For NATS Server versions prior to 2.7.2, upgrade to version 2.7.2 or later. For NATS Streaming Server versions prior to 0.24.1, upgrade to version 0.24.1 or later.

**Name of the Vulnerable Software and Affected Versions** Avaya Aura Device Services versions 7.0 through 8.1.4.0 **Description** An arbitrary code execution issue was discovered in Avaya Aura Device Services, potentially allowing a local user to execute specially crafted scripts. The vulnerability is related to the creation of temporary files with insecure permissions. **Recommendations** For versions 7.0 through 8.1.4.0, update to a version that contains a fix for this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Avaya Aura Appliance Virtualization Platform Utilities (AVPU) versions 8.0.0.0 through 8.1.3.1 **Description** An information disclosure issue was discovered in the directory and file management of AVPU, potentially allowing any local user to access system functionality and configuration information that should only be available to a privileged user. **Recommendations** For versions 8.0.0.0 through 8.1.3.1, update to a version that contains a fix for this issue to prevent unauthorized access to system functionality and configuration information.

**Name of the Vulnerable Software and Affected Versions** Avaya Aura Appliance Virtualization Platform Utilities (AVPU) versions 8.0.0.0 through 8.1.3.1 **Description** A privilege escalation issue was discovered that may allow a local user to escalate privileges. **Recommendations** For versions 8.0.0.0 through 8.1.3.1, at the moment, there is no information about a newer version that contains a fix for this issue.