CVE-2022-24450

EUVD-2022-1000
NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
Affected Products (NVD)
VendorProductVersion
natsnats_server
2.0.0 ≤
𝑥
< 2.7.2
natsnats_streaming_server
0.15.0 ≤
𝑥
< 0.24.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nats-server
bookworm
2.9.10-1
fixed
sid
2.10.18-1
fixed
trixie
2.10.18-1
fixed
Common Weakness Enumeration
References
https://advisories.nats.io/CVE/CVE-2022-24450.txt
https://github.com/nats-io/nats-server/releases/tag/v2.7.2
https://advisories.nats.io/CVE/CVE-2022-24450.txt
https://github.com/nats-io/nats-server/releases/tag/v2.7.2