High severityNVD Advisory· Published Oct 30, 2023· Updated Sep 9, 2024
CVE-2023-47090
CVE-2023-47090
Description
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/nats-io/nats-server/v2Go | >= 2.2.0, < 2.9.23 | 2.9.23 |
github.com/nats-io/nats-server/v2Go | >= 2.10.0, < 2.10.2 | 2.10.2 |
Affected products
4- NATS/nats-serverdescription
- osv-coords3 versions
< 0.1.1-r5+ 2 more
- (no CPE)range: < 0.1.1-r5
- (no CPE)range: < 0.1.1-r5
- (no CPE)range: >= 2.2.0, < 2.9.23
Patches
Vulnerability mechanics
References
9- github.com/advisories/GHSA-fr2g-9hjm-wr23ghsaADVISORY
- www.openwall.com/lists/oss-security/2023/10/30/1mitremailing-list
- advisories.nats.io/CVE/secnote-2023-01.txtghsaWEB
- github.com/nats-io/nats-server/commit/fa5b7afcb64e7e887e49afdd032358802b5c4478ghsaWEB
- github.com/nats-io/nats-server/pull/4605ghsaWEB
- github.com/nats-io/nats-server/releases/tag/v2.10.2ghsaWEB
- github.com/nats-io/nats-server/releases/tag/v2.9.23ghsaWEB
- github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23ghsaWEB
- www.openwall.com/lists/oss-security/2023/10/13/2mitre
News mentions
0No linked articles in our index yet.