Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
osvGoogleOSV:GHSA-G6W6-R76C-28J7
HistoryFeb 08, 2022 - 5:23 p.m.

Incorrect Authorization in NATS nats-server

2022-02-0817:23:16
Google
osv.dev
177
nats
nats-server
authorization
access control
vulnerability
multi-tenancy
accounts
sandbox accounts
coding error
cve-2022-24450
nats streaming server
upgrade

EPSS

0.001

Percentile

36.9%

JSON

(This advisory is canonically <https://advisories.nats.io/CVE/CVE-2022-24450.txt&gt;)

Problem Description

NATS nats-server through 2022-02-04 has Incorrect Access Control, with unchecked ability for clients to authorize into any account, because of a coding error in a long-extant experimental feature.

A client crafting the initial protocol-level handshake could, with valid credentials for any account, specify a target account and switch into it immediately. This includes any other tenant, and includes the System account which controls nats-server core operations.

For deployments not using multi-tenancy through NATS Accounts, there is still a vulnerability: normal users are able to choose to be in the System account.

An experimental feature to provide dynamically provisioned sandbox accounts was designed to allow a server administrator to turn on an option to allow clients to dynamically request a brand new account inline at connection time. This feature went nowhere, but lived on in the code and was used by a number of tests; support was never added to any client libraries or to the documentation.

A bug in handling the feature meant that if someone did in fact have valid account credentials, then they could specify any other existing account and they would be assigned into that account.

Release 2.7.2 of nats-server removes the feature.
Because of the lack of client support and absence from protocol documentation, we feel this is safe operationally as well as the safest fix for the code.

Affected versions

NATS Server

  • All 2.x versions up to and including 2.7.1.
  • Fixed with nats-io/nats-server: 2.7.2
  • NATS Server 1.x did not have accounts.
  • Docker image: nats <https://hub.docker.com/_/nats&gt;

NATS Streaming Server

  • All versions embedding affected NATS Server:
    • Affected: v0.15.0 up to and including v0.24.0
    • Fixed with nats-io/nats-streaming-server: 0.24.1
  • Docker image: nats-streaming <https://hub.docker.com/_/nats-streaming&gt;

Impact

Existing users could act in any account, including the System account.

Workaround

None.

Solution

Upgrade the NATS server.

Related

nvd 1
mageia 1
debiancve 1
veracode 1
prion 1
openvas 1
osv 3
github 1
redhatcve 1
cvelist 1
cve 1
redhat 6
nvd
nvd
CVE-2022-24450
2022-02-08 02:15:06
mageia
mageia
Updated nats-server packages fix security vulnerability
2022-06-13 23:44:20
debiancve
debiancve
CVE-2022-24450
2022-02-08 02:15:06
veracode
veracode
Privilege Escalation
2022-02-09 09:29:16
prion
prion
Design/Logic Flaw
2022-02-08 02:15:00
openvas
openvas
Mageia: Security Advisory (MGASA-2022-0225)
2022-06-14 00:00:00
osv
osv
Incorrect Authorization in NATS nats-server in github.com/nats-io/nats-server
2024-08-21 14:30:26
CVE-2022-24450
2022-02-08 02:15:06
BIT-nats-2022-24450
2024-03-06 10:58:21
github
github
Incorrect Authorization in NATS nats-server
2022-02-08 17:23:16
redhatcve
redhatcve
CVE-2022-24450
2022-02-09 15:45:28
cvelist
cvelist
CVE-2022-24450
2022-02-08 01:14:48
cve
cve
CVE-2022-24450
2022-02-08 02:15:06
redhat
redhat
(RHSA-2022:1681) Moderate: Red Hat Advanced Cluster Management 2.4.4 security updates and bug fixes
2022-05-03 14:27:08
(RHSA-2022:5531) Moderate: Red Hat Advanced Cluster Management 2.5.1 security updates and bug fixes
2022-07-07 11:48:54
(RHSA-2022:0735) Important: Red Hat Advanced Cluster Management 2.4.2 security updates and bug fixes
2022-03-03 01:33:59

EPSS

0.001

Percentile

36.9%

JSON
Related for OSV:GHSA-G6W6-R76C-28J7
nvd1mageia1debiancve1veracode1prion1openvas1osv3github1redhatcve1cvelist1cve1redhat6