Vulnerability Description
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Linuxfoundation | Nats-Server | >= 2.2.0, < 2.9.23 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2023/10/30/1Mailing List
- https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23Vendor Advisory
- https://www.openwall.com/lists/oss-security/2023/10/13/2Mailing ListMitigation
- http://www.openwall.com/lists/oss-security/2023/10/30/1Mailing List
- https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23Vendor Advisory
- https://www.openwall.com/lists/oss-security/2023/10/13/2Mailing ListMitigation
FAQ
What is CVE-2023-47090?
CVE-2023-47090 is a vulnerability with a CVSS score of 6.5 (MEDIUM). NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the inte...
How severe is CVE-2023-47090?
CVE-2023-47090 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-47090?
Check the references section above for vendor advisories and patch information. Affected products include: Linuxfoundation Nats-Server.