CVE-2022-26652

NameCVE-2022-26652
DescriptionNATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nats-server (PTS)bookworm2.9.10-1fixed
trixie2.10.18-1fixed
sid2.10.24-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
nats-serversource(unstable)(not affected)

Notes

- nats-server <not-affected> (Fixed before initial upload to Debian)
https://advisories.nats.io/CVE/CVE-2022-26652.txt
https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68
http://www.openwall.com/lists/oss-security/2022/03/10/1

Search for package or bug name: Reporting problems