apk package

chainguard/nats

pkg:apk/chainguard/nats

Vulnerabilities (83)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2023-47090		—		< 0.1.1-r5	0.1.1-r5	Oct 30, 2023	NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest af
CVE-2023-39325		—		< 0.1.1-r5	0.1.1-r5	Oct 11, 2023	A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
CVE-2023-44487	Hig	7.5	KEV	< 0.1.1-r5	0.1.1-r5	Oct 10, 2023	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-47090Oct 30, 2023
affected < 0.1.1-r5fixed 0.1.1-r5
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest af
CVE-2023-39325Oct 11, 2023
affected < 0.1.1-r5fixed 0.1.1-r5
A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attack
CVE-2023-44487HigKEVOct 10, 2023
affected < 0.1.1-r5fixed 0.1.1-r5
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Page 5 of 5