CVE-2023-46129

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing.  
FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
VendorProductVersion
natsnats_server
2.10.0 ≤
𝑥
< 2.10.4
natsnkeys
0.4.0 ≤
𝑥
< 0.4.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
golang-github-nats-io-nkeys
bullseye
0.0~git20181103.f9a6cff-1.1
not-affected
bookworm
0.3.0-2
not-affected
buster
not-affected
trixie
0.4.8-1
fixed
sid
0.4.8-1
fixed
nats-server
bookworm
2.9.10-1
not-affected
bullseye
not-affected
buster
not-affected
trixie
2.10.24-1
fixed
sid
2.10.24-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
golang-github-nats-io-nkeys
oracular
needs-triage
noble
needs-triage
mantic
ignored
lunar
ignored
jammy
needs-triage
focal
needs-triage
bionic
ignored
xenial
ignored
trusty
ignored
nats-server
oracular
needs-triage
noble
needs-triage
mantic
ignored
lunar
ignored
jammy
dne
focal
dne
bionic
ignored
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/10/31/1
https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/
http://www.openwall.com/lists/oss-security/2023/10/31/1
https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/