8000 x/vulndb: potential Go vuln in github.com/nats-io/nats-server/v2: GHSA-gwj5-3vfq-q992 · Issue #398 · golang/vulndb · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
x/vulndb: potential Go vuln in github.com/nats-io/nats-server/v2: GHSA-gwj5-3vfq-q992 #398
New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in github.com/nats-io/nats-server/v2: GHSA-gwj5-3vfq-q992#398
Labels
excluded: EFFECTIVELY_PRIVATEThis vulnerability exists in a package can be imported, but isn't meant to be outside that module.
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Mar 24, 2022

In GitHub Security Advisory GHSA-gwj5-3vfq-q992, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/nats-io/nats-server/v2 2.2.0 < 2.2.0

See doc/triage.md for instructions on how to triage this report.

package: github.com/nats-io/nats-server/v2
versions:
  - introduced: v0.0.0
    fixed: v2.2.0
description: |-
    (This advisory is canonically <https://advisories.nats.io/CVE/CVE-2020-28466.txt>)

    ## Problem Description

    An export/import cycle between accounts could crash the nats-server, after consuming CPU and memory.

    This issue was fixed publicly in <https://github.com/nats-io/nats-server/pull/1731> in November 2020.

    The need to call this out as a security issue was highlighted by `snyk.io` and we are grateful for their assistance in doing so.

    Organizations which run a NATS service providing access to accounts run by untrusted third parties are affected.
    See below for an important caveat if running such a service.


    ## Affected versions

    #### NATS Server

     * Version 2 prior to 2.2.0
       + 2.0.0 through and including 2.1.9 are vulnerable.
     * fixed with nats-io/nats-server PR 1731, commit 2e3c226729


    ## Impact

    The nats-server could be killed, after consuming resources.


    ## Workaround

    The import cycle requires at least two accounts to work; if you have open account sign-up, then restricting new account sign-up might hinder an attacker.


    ## Solution

    Upgrade the nats-server.


    ## Caveat on NATS with untrusted users

    Running a NATS service which is exposed to untrusted users presents a heightened risk.

    Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers.

    Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention.

    Those who are running such services are encouraged to build regularly from git.
published: 2021-05-21T16:22:16Z
last_modified: 2021-05-21T16:22:16Z
ghsas:
  - GHSA-gwj5-3vfq-q992

Metadata

Metadata

Assignees

No one assigned

    Labels

    excluded: EFFECTIVELY_PRIVATEThis vulnerability exists in a package can be imported, but isn't meant to be outside that module.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0