Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Nats_server
(Nats)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 6 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-03-07 | CVE-2020-28466 | This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues... | Nats_server | 7.5 | ||
| 2021-03-16 | CVE-2021-3127 | NATS Server 2.x before 2.2.0 and JWT library before 2.0.1 have Incorrect Access Control because Import Token bindings are mishandled. | Jwt_library, Nats_server | 7.5 | ||
| 2022-02-08 | CVE-2022-24450 | NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature. | Nats_server, Nats_streaming_server | 8.8 | ||
| 2022-03-10 | CVE-2022-26652 | NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected. | Nats_server, Nats_streaming_server | 6.5 | ||
| 2023-10-31 | CVE-2023-46129 | NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption... | Nats_server, Nkeys | 7.5 | ||
| 2019-07-29 | CVE-2019-13126 | An integer overflow in NATS Server before 2.0.2 allows a remote attacker to crash the server by sending a crafted request. If authentication is enabled, then the remote attacker must have first authenticated. | Nats_server | 7.5 |