1. Home
  2. CVE Database
  3. CVE-2020-28466
HIGH · 7.5

CVE-2020-28466

This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from...

Vulnerability Description

This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention. Those who are running such services are encouraged to build regularly from git.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH

Affected Products

VendorProductVersions
LinuxfoundationNats-Server>= 2.0.0, < 2.2.0

References

FAQ

What is CVE-2020-28466?

CVE-2020-28466 is a vulnerability with a CVSS score of 7.5 (HIGH). This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from...

How severe is CVE-2020-28466?

CVE-2020-28466 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-28466?

Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Nats-Server.