Base Score

HIGH8.8

CVE-2022-24450

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.

VectorNETWORK

Published Bycve@mitre.org

Published DateFeb 08, 2022, 02:15

Affected Versions(2)

github.com/nats-io/nats-server/v2(Go)

Introduced2.0.0

Fixed2.7.2

LimitN/A

github.com/nats-io/nats-streaming-server(Go)

Introduced0.15.0

Fixed0.24.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
github.com/nats-io/nats-server/v2(Go)	2.0.0	2.7.2	N/A
github.com/nats-io/nats-streaming-server(Go)	0.15.0	0.24.1	N/A

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

HIGH8.8

Weakness Type (CWE):CWE-862

CVSS Metrics

Base Score

8.8

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

LOW

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH