Veracode Vulnerability DatabaseVERACODE:43359Path Traversal
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
39.4%
NATS nats-server is vulnerable to Path Traversal. The vulnerability is caused by a missing validation check while constructing filenames for account synchronization, which happens in the system account, allowing arbitrary file write as the user running NATS by anyone who can publish arbitrary messages to the system account. This can lead to an unexpected write to an arbitrary file or a lateral movement by an attacker within a cluster or super-cluster as the system account is shared within such a deployment.
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/nats-io/nats-server | le | v2.7.4 | |
| github.com/nats-io/nats-server | le | v2.7.4 |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
39.4%