Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-47090

NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.

Published

2023-10-30T17:15:52.467

Last Modified

2024-11-21T08:29:44.953

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	linuxfoundation	nats-server	< 2.9.23	Yes
Application	linuxfoundation	nats-server	< 2.10.2	Yes

References

http://www.openwall.com/lists/oss-security/2023/10/30/1 Mailing List ([email protected])
https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23 Vendor Advisory ([email protected])
https://www.openwall.com/lists/oss-security/2023/10/13/2 Mailing List, Mitigation ([email protected])
http://www.openwall.com/lists/oss-security/2023/10/30/1 Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.openwall.com/lists/oss-security/2023/10/13/2 Mailing List, Mitigation (af854a3a-2127-422b-91ae-364da2661108)