CVE-2022-24450

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-24450
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24450.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-24450
Aliases
Related
Published
2022-02-08T02:15:06Z
Modified
2025-05-28T10:29:42.203237Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.

References

Affected packages

Git / github.com/nats-io/nats-server

Affected ranges

Type
GIT
Repo
https://github.com/nats-io/nats-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Type
GIT
Repo
https://github.com/nats-io/nats-streaming-server
Events

Affected versions

v0.*

v0.15.0
v0.15.1
v0.16.0
v0.16.2
v0.17.0
v0.18.0
v0.19.0
v0.20.0
v0.21.0
v0.21.1
v0.21.2
v0.22.0
v0.22.1
v0.23.0
v0.23.1
v0.23.2
v0.24.0
v0.5.1
v0.5.2
v0.5.4
v0.5.6
v0.6.0
v0.6.2
v0.6.4
v0.6.6
v0.6.8
v0.7.0
v0.7.2
v0.8.0
v0.8.1
v0.9.2
v0.9.4
v0.9.6

v1.*

v1.0.0
v1.0.2
v1.0.4
v1.0.6
v1.1.0
v1.2.0
v1.3.0

v2.*

v2.0.0
v2.0.0-RC14
v2.0.0-RC19
v2.0.2
v2.0.4
v2.1.0
v2.1.2
v2.1.4
v2.1.6
v2.1.7
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.4.0
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.7.0
v2.7.0-rc1
v2.7.0-rc2
v2.7.1