CVE-2022-29946

NameCVE-2022-29946
DescriptionNATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs914290

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
nats-server (PTS)bookworm2.9.10-1fixed
sid, trixie2.10.18-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
golang-github-nats-io-nats-streaming-serverITP914290
nats-serversource(unstable)2.9.8-1

Notes

https://github.com/nats-io/advisories/blob/main/CVE/CVE-2022-29946.txt
Search for package or bug name: Reporting problems