Vulnerability Description
NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Nats-Server | >= 2.0.0, < 2.7.2 |
| Nats | Nats Streaming Server | >= 0.15.0, < 0.24.1 |
Related Weaknesses (CWE)
References
- https://advisories.nats.io/CVE/CVE-2022-24450.txtVendor Advisory
- https://github.com/nats-io/nats-server/releases/tag/v2.7.2Release NotesThird Party Advisory
- https://advisories.nats.io/CVE/CVE-2022-24450.txtVendor Advisory
- https://github.com/nats-io/nats-server/releases/tag/v2.7.2Release NotesThird Party Advisory
FAQ
What is CVE-2022-24450?
CVE-2022-24450 is a vulnerability with a CVSS score of 8.8 (HIGH). NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.
How severe is CVE-2022-24450?
CVE-2022-24450 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24450?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Nats-Server, Nats Nats Streaming Server.