Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-24450

Опубликовано: 07 фев. 2022
Источник: redhat
CVSS3: 8.8
EPSS Низкий

Описание

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.

A flaw was found in the NATS nats-server in an experimental feature that provides dynamically provisioned sandbox accounts that do not check the clients’ authorization. This flaw allows an attacker to take advantage of its valid account and switch over to another existing account without further authentication.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Advanced Cluster Management for Kubernetes 2rbac-query-proxy-containerAffected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/acm-grafana-rhel8Affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/agent-service-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/assisted-installer-agent-rhel8Will not fix
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/assisted-installer-reporter-rhel8Not affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/assisted-installer-rhel8Not affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/clusterlifecycle-state-metrics-rhel8Not affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/endpoint-monitoring-rhel8-operatorAffected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/grafana-dashboard-loader-rhel8Affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/kube-state-metrics-rhel8Affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-863->CWE-1220
https://bugzilla.redhat.com/show_bug.cgi?id=2052573nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account

EPSS

Процентиль: 67%
0.00529
Низкий

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2022-24450

CVSS3: 8.8
nvd
почти 4 года назад

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authenticated user can obtain the privileges of the System account by misusing the "dynamically provisioned sandbox accounts" feature.

debian логотип

CVE-2022-24450

CVSS3: 8.8
debian
почти 4 года назад

NATS nats-server before 2.7.2 has Incorrect Access Control. Any authen ...

github логотип

GHSA-g6w6-r76c-28j7

CVSS3: 8.8
github
почти 4 года назад

Incorrect Authorization in NATS nats-server

EPSS

Процентиль: 67%
0.00529
Низкий

8.8 High

CVSS3