CVE-2022-28357

Vulnerability

Description CVE-2022-28357 is a directory traversal vulnerability in NATS nats-server versions 2.2.0 through 2.7.4 (and nats-streaming-server 0.15.0 through 0.24.3). The bug lies in an inadequate check when constructing filenames for account synchronization, which occurs within the privileged system account ($SYS). This flaw enables an attacker to write arbitrary files to the filesystem of the server running NATS [1][2].

Exploitation

To exploit this vulnerability, an attacker must be able to publish arbitrary messages to the system account ($SYS). In NATS, the system account is considered a 'superuser' path for administrative actions, and access to it is intentionally privileged. However, any user or client who has obtained access to the system account—whether through direct authentication or lateral movement within a cluster/super-cluster—can trigger the directory traversal. The attack does not require additional authentication beyond system account privileges [2].

Impact

The impact is an arbitrary file write to any location accessible by the user running the NATS server process. An attacker could overwrite configuration files, inject malicious payloads, or otherwise compromise the integrity of the server filesystem. Because the system account is shared across clustered deployments, an attacker who compromises one node can laterally move to others. The advisory notes that this does not cross a privilege boundary (since the attacker already has system-level access) but is still a significant unexpected write capability [2].

Mitigation

The vulnerability is fixed in nats-server version 2.8.0 and nats-streaming-server version 0.24.4. As a workaround, administrators should sandbox the nats-server process to restrict write access only to expected directories, limiting the potential harm from exploitation [2][3].