Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS1tcjQ1LXJ4OHEtd2NtOc4AA207

High EPSS: 0.00092% (0.27209 Percentile) EPSS:
Permalink JSON

xkeys seal encryption used fixed key for all encryption

Affected Packages Affected Versions Fixed Versions
go:github.com/nats-io/nats-server/v2 >= 2.10.0, <= 2.10.3 2.10.4
6,417 Dependent packages
24,884 Dependent repositories

Affected Version Ranges

All affected versions

2.10.0, 2.10.1, 2.10.2, 2.10.3

All unaffected versions

2.0.0, 2.0.2, 2.0.4, 2.1.0, 2.1.2, 2.1.4, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.9.11, 2.9.12, 2.9.14, 2.9.15, 2.9.16, 2.9.17, 2.9.18, 2.9.19, 2.9.20, 2.9.21, 2.9.22, 2.9.23, 2.9.24, 2.9.25, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.10.8, 2.10.9, 2.10.10, 2.10.11, 2.10.12, 2.10.14, 2.10.15, 2.10.16, 2.10.17, 2.10.18, 2.10.19, 2.10.20, 2.10.21, 2.10.22, 2.10.23, 2.10.24, 2.10.25, 2.10.26, 2.10.27, 2.10.28, 2.10.29, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6
go:github.com/nats-io/nkeys >= 0.4.0, <= 0.4.5 0.4.6
6,018 Dependent packages
28,527 Dependent repositories

Affected Version Ranges

All affected versions

0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5

All unaffected versions

0.0.1, 0.0.2, 0.1.0, 0.1.2, 0.1.3, 0.1.4, 0.2.0, 0.3.0, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.4.11

Background

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.

The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts.

Problem Description

The nkeys library's "xkeys" encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key.

This affects encryption only, not signing.
FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY.

Affected versions

nkeys Go library:

  • 0.4.0 up to and including 0.4.5
  • Fixed with nats-io/nkeys: 0.4.6

NATS Server:

  • 2.10.0 up to and including 2.10.3
  • Fixed with nats-io/nats-server: 2.10.4

Solution

Upgrade the nats-server.
For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.

Credits

Problem reported by Quentin Matillat (GitHub @tinou98).

References:

Identifiers

GHSA-mr45-rx8q-wcm9

CVE-2023-46129

Risk

Severity

High

EPSS

EPSS Percentage: 0.00092

EPSS Percentile: 0.27209

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/nats-io/nkeys

Date and time

Published

over 1 year ago

Updated

over 1 year ago

API

JSON