Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2022-29946

Опубликовано: 11 июл. 2024
Источник: redhat
CVSS3: 5.4
EPSS Низкий

Описание

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

A flaw was found in the NATS Server and NATS Streaming Server. Affected versions of this package could allow a remote attacker to bypass security restrictions due to a failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

Меры по смягчению последствий

Recraft user permission rules to only add access, never deny it.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift AI (RHOAI)odh-ml-pipelines-api-server-v2-containerAffected
Red Hat OpenShift AI (RHOAI)odh-ml-pipelines-driver-containerAffected
Red Hat OpenShift AI (RHOAI)odh-ml-pipelines-launcher-containerAffected
Red Hat OpenShift AI (RHOAI)odh-ml-pipelines-persistenceagent-v2-containerAffected
Red Hat OpenShift AI (RHOAI)odh-ml-pipelines-scheduledworkflow-v2-containerAffected
Red Hat OpenShift Container Platform 4openshift4/ose-contour-rhel8Not affected
Red Hat Openshift Container Storage 4ocs4/mcg-rhel8-operatorOut of support scope
Red Hat Openshift Container Storage 4ocs4/ocs-must-gather-rhel8Out of support scope
Red Hat Openshift Container Storage 4ocs4/ocs-rhel8-operatorOut of support scope
Red Hat Trusted Profile Analyzertrusted-content-tenant/trustification-guacNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-284
https://bugzilla.redhat.com/show_bug.cgi?id=2297418nats-server: Negative user permissions not enforced in one scenario

EPSS

Процентиль: 29%
0.00108
Низкий

5.4 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2022-29946

CVSS3: 6.3
ubuntu
больше 1 года назад

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

nvd логотип

CVE-2022-29946

CVSS3: 6.3
nvd
больше 1 года назад

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

debian логотип

CVE-2022-29946

CVSS3: 6.3
debian
больше 1 года назад

NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 co ...

github логотип

GHSA-2h2x-8hh2-mfq8

CVSS3: 6.5
github
больше 1 года назад

NATS Server and Streaming Server fails to enforce negative user permissions, may allow denied subjects

EPSS

Процентиль: 29%
0.00108
Низкий

5.4 Medium

CVSS3