CVE-2023-47090

NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 49%
VendorProductVersion
linuxfoundationnats-server
2.2.0 ≤
𝑥
< 2.9.23
linuxfoundationnats-server
2.10.0 ≤
𝑥
< 2.10.2
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nats-server
bookworm
no-dsa
sid
2.10.24-1
fixed
trixie
2.10.24-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
nats-server
noble
not-affected
mantic
ignored
lunar
ignored
jammy
dne
focal
dne
bionic
ignored
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
http://www.openwall.com/lists/oss-security/2023/10/30/1
https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23
https://www.openwall.com/lists/oss-security/2023/10/13/2
http://www.openwall.com/lists/oss-security/2023/10/30/1
https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23
https://www.openwall.com/lists/oss-security/2023/10/13/2