Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for nats_streaming_server by nats

    CVE-2022-26652 (GCVE-0-2022-26652)

    Vulnerability from nvd – Published: 2022-03-10 03:48 – Updated: 2024-08-03 05:11
    VLAI
    Summary
    NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:11:44.439Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/nats-io/nats-server/releases"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
              },
              {
                "name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-10T12:06:14.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
            },
            {
              "name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-26652",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/nats-io/nats-server/releases",
                  "refsource": "MISC",
                  "url": "https://github.com/nats-io/nats-server/releases"
                },
                {
                  "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
                },
                {
                  "name": "https://advisories.nats.io/CVE/CVE-2022-26652.txt",
                  "refsource": "CONFIRM",
                  "url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
                },
                {
                  "name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-26652",
        "datePublished": "2022-03-10T03:48:44.000Z",
        "dateReserved": "2022-03-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:11:44.439Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24450 (GCVE-0-2022-24450)

    Vulnerability from nvd – Published: 2022-02-08 01:14 – Updated: 2024-08-03 04:13
    VLAI
    Summary
    NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:13:55.583Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the \"dynamically provisioned sandbox accounts\" feature."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-08T01:14:48.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-24450",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the \"dynamically provisioned sandbox accounts\" feature."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2",
                  "refsource": "MISC",
                  "url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
                },
                {
                  "name": "https://advisories.nats.io/CVE/CVE-2022-24450.txt",
                  "refsource": "CONFIRM",
                  "url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-24450",
        "datePublished": "2022-02-08T01:14:48.000Z",
        "dateReserved": "2022-02-04T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:13:55.583Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-26652 (GCVE-0-2022-26652)

    Vulnerability from cvelistv5 – Published: 2022-03-10 03:48 – Updated: 2024-08-03 05:11
    VLAI
    Summary
    NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T05:11:44.439Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/nats-io/nats-server/releases"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
              },
              {
                "name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-03-10T12:06:14.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
            },
            {
              "name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-26652",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/nats-io/nats-server/releases",
                  "refsource": "MISC",
                  "url": "https://github.com/nats-io/nats-server/releases"
                },
                {
                  "name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
                },
                {
                  "name": "https://advisories.nats.io/CVE/CVE-2022-26652.txt",
                  "refsource": "CONFIRM",
                  "url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
                },
                {
                  "name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
                  "refsource": "MLIST",
                  "url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-26652",
        "datePublished": "2022-03-10T03:48:44.000Z",
        "dateReserved": "2022-03-07T00:00:00.000Z",
        "dateUpdated": "2024-08-03T05:11:44.439Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24450 (GCVE-0-2022-24450)

    Vulnerability from cvelistv5 – Published: 2022-02-08 01:14 – Updated: 2024-08-03 04:13
    VLAI
    Summary
    NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
    Severity
    No CVSS data available.
    CWE
    • n/a
    Assigner
    References
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:13:55.583Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "n/a",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the \"dynamically provisioned sandbox accounts\" feature."
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "description": "n/a",
                  "lang": "en",
                  "type": "text"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-08T01:14:48.000Z",
            "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
            "shortName": "mitre"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "cve@mitre.org",
              "ID": "CVE-2022-24450",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "n/a",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "n/a"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the \"dynamically provisioned sandbox accounts\" feature."
                }
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "n/a"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2",
                  "refsource": "MISC",
                  "url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
                },
                {
                  "name": "https://advisories.nats.io/CVE/CVE-2022-24450.txt",
                  "refsource": "CONFIRM",
                  "url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "assignerShortName": "mitre",
        "cveId": "CVE-2022-24450",
        "datePublished": "2022-02-08T01:14:48.000Z",
        "dateReserved": "2022-02-04T00:00:00.000Z",
        "dateUpdated": "2024-08-03T04:13:55.583Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }