CVE-2020-28466

NameCVE-2020-28466
DescriptionThis affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention. Those who are running such services are encouraged to build regularly from git.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nats-server (PTS)bookworm2.9.10-1fixed
sid, trixie2.10.7-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nats-serversource(unstable)(not affected)

Notes

- nats-server <not-affected> (Fixed before initial upload to Debian)
https://github.com/nats-io/nats-server/pull/1731
http://www.openwall.com/lists/oss-security/2021/03/16/2
Search for package or bug name: Reporting problems