GHSA-2h2x-8hh2-mfq8

Suggest an improvement
Source
https://github.com/advisories/GHSA-2h2x-8hh2-mfq8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-2h2x-8hh2-mfq8/GHSA-2h2x-8hh2-mfq8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2h2x-8hh2-mfq8
Aliases
Published
2024-07-11T21:31:12Z
Modified
2024-10-30T18:50:03Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects
Details

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

Database specific 
{
    "nvd_published_at": "2024-07-11T21:15:10Z",
    "cwe_ids": [
        "CWE-863"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-07-12T14:01:30Z"
}
References

Affected packages

Go / github.com/nats-io/nats-server/v2

Package

Name
github.com/nats-io/nats-server/v2
View open source insights on deps.dev
Purl
pkg:golang/github.com/nats-io/nats-server/v2

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.8.2

Go / github.com/nats-io/nats-streaming-server

Package

Name
github.com/nats-io/nats-streaming-server
View open source insights on deps.dev
Purl
pkg:golang/github.com/nats-io/nats-streaming-server

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.24.6