PT-2024-11549 · Unknown · Nats Streaming Server+1
Published
2024-07-11
·
Updated
2024-10-30
·
CVE-2022-29946
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
NATS Server versions prior to 2.8.2
NATS Streaming Server versions prior to 0.24.6
Description
The issue is caused by the failure to enforce negative user permissions in one scenario, allowing a remote attacker to bypass security restrictions. By using a queue subscription on the wildcard, an attacker could exploit this to allow denied subjects.
Recommendations
For NATS Server versions prior to 2.8.2, update to version 2.8.2 or later to resolve the issue.
For NATS Streaming Server versions prior to 0.24.6, update to version 0.24.6 or later to resolve the issue.
As a temporary workaround, consider restricting queue subscriptions on the wildcard to minimize the risk of exploitation.
Exploit
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nats Server
Nats Streaming Server