CVE-2023-47090

NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*

History

08 Nov 2023, 00:15

Type Values Removed Values Added
CPE cpe:2.3:a:linuxfoundation:nats-server:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5
References (MLIST) http://www.openwall.com/lists/oss-security/2023/10/30/1 - (MLIST) http://www.openwall.com/lists/oss-security/2023/10/30/1 - Mailing List
References (MISC) https://www.openwall.com/lists/oss-security/2023/10/13/2 - (MISC) https://www.openwall.com/lists/oss-security/2023/10/13/2 - Mailing List, Mitigation
References (MISC) https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23 - (MISC) https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23 - Vendor Advisory
First Time Linuxfoundation nats-server
Linuxfoundation
CWE CWE-863

30 Oct 2023, 21:15

Type Values Removed Values Added
References
  • (MLIST) http://www.openwall.com/lists/oss-security/2023/10/30/1 -

30 Oct 2023, 17:20

Type Values Removed Values Added
New CVE

Information

Published : 2023-10-30 17:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-47090

Mitre link : CVE-2023-47090

CVE.ORG link : CVE-2023-47090


JSON object : View

Products Affected

linuxfoundation

  • nats-server
CWE
CWE-863

Incorrect Authorization