Duplicate Advisory: NATS.io: Adding accounts for just the system account adds auth bypass

GHSA-4frv-5fj6-4p25

Published Oct 30, 2023 · Modified Oct 31, 2023

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-fr2g-9hjm-wr23. This link is maintained to preserve external references.

Original Description

NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.

References

WEB https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-47090
WEB https://www.openwall.com/lists/oss-security/2023/10/13/2
WEB http://www.openwall.com/lists/oss-security/2023/10/30/1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes