Go modules package
github.com/nats-io/nats-streaming-server
pkg:golang/github.com/nats-io/nats-streaming-server
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-29946 | Med | 6.3 | < 0.24.6 | 0.24.6 | Jul 11, 2024 | NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit | |
| CVE-2022-26652 | — | >= 0.15.0, < 0.24.3 | 0.24.3 | Mar 10, 2022 | NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected. | ||
| CVE-2022-24450 | — | >= 0.15.0, < 0.24.1 | 0.24.1 | Feb 8, 2022 | NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature. |
- affected < 0.24.6fixed 0.24.6
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit
- CVE-2022-26652Mar 10, 2022affected >= 0.15.0, < 0.24.3fixed 0.24.3
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
- CVE-2022-24450Feb 8, 2022affected >= 0.15.0, < 0.24.1fixed 0.24.1
NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.