CVE-2022-24450

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
VendorProductVersion
natsnats_server
2.0.0 ≤
𝑥
< 2.7.2
natsnats_streaming_server
0.15.0 ≤
𝑥
< 0.24.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nats-server
bookworm
2.9.10-1
fixed
sid
2.10.18-1
fixed
trixie
2.10.18-1
fixed
Common Weakness Enumeration
References
https://advisories.nats.io/CVE/CVE-2022-24450.txt
https://github.com/nats-io/nats-server/releases/tag/v2.7.2
https://advisories.nats.io/CVE/CVE-2022-24450.txt
https://github.com/nats-io/nats-server/releases/tag/v2.7.2