Search
Find a vulnerability
Search criteria
4 vulnerabilities found for nats_streaming_server by nats
CVE-2022-26652 (GCVE-0-2022-26652)
Vulnerability from nvd – Published: 2022-03-10 03:48 – Updated: 2024-08-03 05:11
VLAI
EPSS
VEX
Summary
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nats-io/nats-server/releases | x_refsource_MISC |
| https://github.com/nats-io/nats-server/security/a… | x_refsource_CONFIRM |
| https://advisories.nats.io/CVE/CVE-2022-26652.txt | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2022/03/10/1 | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:44.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nats-io/nats-server/releases"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
},
{
"name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-10T12:06:14.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nats-io/nats-server/releases"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
},
{
"name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26652",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nats-io/nats-server/releases",
"refsource": "MISC",
"url": "https://github.com/nats-io/nats-server/releases"
},
{
"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68",
"refsource": "CONFIRM",
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
},
{
"name": "https://advisories.nats.io/CVE/CVE-2022-26652.txt",
"refsource": "CONFIRM",
"url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
},
{
"name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26652",
"datePublished": "2022-03-10T03:48:44.000Z",
"dateReserved": "2022-03-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:11:44.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24450 (GCVE-0-2022-24450)
Vulnerability from nvd – Published: 2022-02-08 01:14 – Updated: 2024-08-03 04:13
VLAI
EPSS
VEX
Summary
NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nats-io/nats-server/releases/t… | x_refsource_MISC |
| https://advisories.nats.io/CVE/CVE-2022-24450.txt | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:13:55.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the \"dynamically provisioned sandbox accounts\" feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-08T01:14:48.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-24450",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the \"dynamically provisioned sandbox accounts\" feature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2",
"refsource": "MISC",
"url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
},
{
"name": "https://advisories.nats.io/CVE/CVE-2022-24450.txt",
"refsource": "CONFIRM",
"url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24450",
"datePublished": "2022-02-08T01:14:48.000Z",
"dateReserved": "2022-02-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:13:55.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-26652 (GCVE-0-2022-26652)
Vulnerability from cvelistv5 – Published: 2022-03-10 03:48 – Updated: 2024-08-03 05:11
VLAI
EPSS
VEX
Summary
NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/nats-io/nats-server/releases | x_refsource_MISC |
| https://github.com/nats-io/nats-server/security/a… | x_refsource_CONFIRM |
| https://advisories.nats.io/CVE/CVE-2022-26652.txt | x_refsource_CONFIRM |
| http://www.openwall.com/lists/oss-security/2022/03/10/1 | mailing-listx_refsource_MLIST |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T05:11:44.439Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nats-io/nats-server/releases"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
},
{
"name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-03-10T12:06:14.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nats-io/nats-server/releases"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
},
{
"name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-26652",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nats-io/nats-server/releases",
"refsource": "MISC",
"url": "https://github.com/nats-io/nats-server/releases"
},
{
"name": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68",
"refsource": "CONFIRM",
"url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"
},
{
"name": "https://advisories.nats.io/CVE/CVE-2022-26652.txt",
"refsource": "CONFIRM",
"url": "https://advisories.nats.io/CVE/CVE-2022-26652.txt"
},
{
"name": "[oss-security] 20220309 CVE-2022-26652: nats-server arbitrary file write",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2022/03/10/1"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-26652",
"datePublished": "2022-03-10T03:48:44.000Z",
"dateReserved": "2022-03-07T00:00:00.000Z",
"dateUpdated": "2024-08-03T05:11:44.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-24450 (GCVE-0-2022-24450)
Vulnerability from cvelistv5 – Published: 2022-02-08 01:14 – Updated: 2024-08-03 04:13
VLAI
EPSS
VEX
Summary
NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/nats-io/nats-server/releases/t… | x_refsource_MISC |
| https://advisories.nats.io/CVE/CVE-2022-24450.txt | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T04:13:55.583Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the \"dynamically provisioned sandbox accounts\" feature."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-08T01:14:48.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-24450",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the \"dynamically provisioned sandbox accounts\" feature."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2",
"refsource": "MISC",
"url": "https://github.com/nats-io/nats-server/releases/tag/v2.7.2"
},
{
"name": "https://advisories.nats.io/CVE/CVE-2022-24450.txt",
"refsource": "CONFIRM",
"url": "https://advisories.nats.io/CVE/CVE-2022-24450.txt"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-24450",
"datePublished": "2022-02-08T01:14:48.000Z",
"dateReserved": "2022-02-04T00:00:00.000Z",
"dateUpdated": "2024-08-03T04:13:55.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}