Skip to content

Duplicate Advisory: NATS.io: Adding accounts for just the system account adds auth bypass

Moderate severity GitHub Reviewed Published Oct 30, 2023 to the GitHub Advisory Database • Updated Nov 9, 2023
Withdrawn This advisory was withdrawn on Oct 31, 2023

Package

gomod github.com/nats-io/nats-server/v2 (Go)

Affected versions

>= 2.2.0, < 2.9.23
>= 2.10.0, < 2.10.2

Patched versions

2.9.23
2.10.2

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-fr2g-9hjm-wr23. This link is maintained to preserve external references.

Original Description

NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.

References

Published by the National Vulnerability Database Oct 30, 2023
Published to the GitHub Advisory Database Oct 30, 2023
Reviewed Oct 31, 2023
Withdrawn Oct 31, 2023
Last updated Nov 9, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-4frv-5fj6-4p25

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.