Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/nats-io/nats-server/v2: GHSA-gwj5-3vfq-q992 #398

Closed
GoVulnBot opened this issue Mar 24, 2022 · 3 comments
Closed

x/vulndb: potential Go vuln in github.com/nats-io/nats-server/v2: GHSA-gwj5-3vfq-q992 #398

GoVulnBot opened this issue Mar 24, 2022 · 3 comments
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.

Comments

@GoVulnBot
Copy link

In GitHub Security Advisory GHSA-gwj5-3vfq-q992, there is a vulnerability in the following Go packages or modules:

Unit Fixed Vulnerable Ranges
github.com/nats-io/nats-server/v2 2.2.0 < 2.2.0

See doc/triage.md for instructions on how to triage this report.

package: github.com/nats-io/nats-server/v2
versions:
  - introduced: v0.0.0
    fixed: v2.2.0
description: |-
    (This advisory is canonically <https://advisories.nats.io/CVE/CVE-2020-28466.txt>)

    ## Problem Description

    An export/import cycle between accounts could crash the nats-server, after consuming CPU and memory.

    This issue was fixed publicly in <https://github.com/nats-io/nats-server/pull/1731> in November 2020.

    The need to call this out as a security issue was highlighted by `snyk.io` and we are grateful for their assistance in doing so.

    Organizations which run a NATS service providing access to accounts run by untrusted third parties are affected.
    See below for an important caveat if running such a service.


    ## Affected versions

    #### NATS Server

     * Version 2 prior to 2.2.0
       + 2.0.0 through and including 2.1.9 are vulnerable.
     * fixed with nats-io/nats-server PR 1731, commit 2e3c226729


    ## Impact

    The nats-server could be killed, after consuming resources.


    ## Workaround

    The import cycle requires at least two accounts to work; if you have open account sign-up, then restricting new account sign-up might hinder an attacker.


    ## Solution

    Upgrade the nats-server.


    ## Caveat on NATS with untrusted users

    Running a NATS service which is exposed to untrusted users presents a heightened risk.

    Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers.

    Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention.

    Those who are running such services are encouraged to build regularly from git.
published: 2021-05-21T16:22:16Z
last_modified: 2021-05-21T16:22:16Z
ghsas:
  - GHSA-gwj5-3vfq-q992
@neild
Copy link
Contributor

neild commented Jun 16, 2022

Vulnerability in tool.

@neild neild closed this as completed Jun 16, 2022
@neild neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 11, 2022
@GoVulnBot GoVulnBot mentioned this issue Oct 19, 2023
Closed
@GoVulnBot GoVulnBot mentioned this issue Oct 31, 2023
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

@gopherbot
Copy link
Contributor

Change https://go.dev/cl/607217 mentions this issue: data/reports: unexclude 20 reports (15)

gopherbot pushed a commit that referenced this issue Aug 21, 2024
@tatianab @gopherbot
data/reports: unexclude 20 reports (15)
229cf45 
  - data/reports/GO-2022-0367.yaml
  - data/reports/GO-2022-0368.yaml
  - data/reports/GO-2022-0369.yaml
  - data/reports/GO-2022-0372.yaml
  - data/reports/GO-2022-0374.yaml
  - data/reports/GO-2022-0375.yaml
  - data/reports/GO-2022-0377.yaml
  - data/reports/GO-2022-0378.yaml
  - data/reports/GO-2022-0381.yaml
  - data/reports/GO-2022-0387.yaml
  - data/reports/GO-2022-0388.yaml
  - data/reports/GO-2022-0389.yaml
  - data/reports/GO-2022-0390.yaml
  - data/reports/GO-2022-0392.yaml
  - data/reports/GO-2022-0393.yaml
  - data/reports/GO-2022-0395.yaml
  - data/reports/GO-2022-0396.yaml
  - data/reports/GO-2022-0398.yaml
  - data/reports/GO-2022-0405.yaml
  - data/reports/GO-2022-0406.yaml

Updates #367
Updates #368
Updates #369
Updates #372
Updates #374
Updates #375
Updates #377
Updates #378
Updates #381
Updates #387
Updates #388
Updates #389
Updates #390
Updates #392
Updates #393
Updates #395
Updates #396
Updates #398
Updates #405
Updates #406

Change-Id: I001f245aa4d9225668c2b30e3d5b4ca7a7e9b3b3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607217
Commit-Queue: Tatiana Bradley <[email protected]>
Auto-Submit: Tatiana Bradley <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@neild @rolandshoemaker @gopherbot @GoVulnBot