CVE-2023-47090

EUVD-2023-2730
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 43%
Affected Products (NVD)
VendorProductVersion
linuxfoundationnats-server
2.2.0 ≤
𝑥
< 2.9.23
linuxfoundationnats-server
2.10.0 ≤
𝑥
< 2.10.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nats-server
bookworm
no-dsa
sid
2.10.24-1
fixed
trixie
2.10.24-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nats-server
bionic
ignored
focal
dne
jammy
dne
lunar
ignored
mantic
ignored
noble
not-affected
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/10/30/1
https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23
https://www.openwall.com/lists/oss-security/2023/10/13/2
http://www.openwall.com/lists/oss-security/2023/10/30/1
https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23
https://www.openwall.com/lists/oss-security/2023/10/13/2