CVE-2023-47090
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.
NATS nats-server anterior a 2.9.23 y 2.10.x anterior a 2.10.2 tiene una omisión de autenticación. Un usuario $G implícito en un bloque de autorización a veces se puede utilizar para acceso no autenticado, incluso cuando la intención de la configuración era que cada usuario tuviera una cuenta. La primera versión afectada es la 2.2.0.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-10-30 CVE Reserved
- 2023-10-30 CVE Published
- 2023-11-08 EPSS Updated
- 2024-09-09 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-863: Incorrect Authorization
CAPEC
References (3)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2023/10/30/1 | Mailing List |
|
| https://www.openwall.com/lists/oss-security/2023/10/13/2 | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23 | 2023-11-08 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linuxfoundation Search vendor "Linuxfoundation" | Nats-server Search vendor "Linuxfoundation" for product "Nats-server" | >= 2.2.0 < 2.9.23 Search vendor "Linuxfoundation" for product "Nats-server" and version " >= 2.2.0 < 2.9.23" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Nats-server Search vendor "Linuxfoundation" for product "Nats-server" | >= 2.10.0 < 2.10.2 Search vendor "Linuxfoundation" for product "Nats-server" and version " >= 2.10.0 < 2.10.2" | - |
Affected
| ||||||