Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLW00angtNjUyNi12dmht

High EPSS: 0.08427% (0.91537 Percentile) EPSS:
Permalink JSON

Denial of service in github.com/nats-io/nats-server/server

Affected Packages Affected Versions Fixed Versions
go:github.com/nats-io/nats-server/v2 < 2.2.0 2.2.0
6,417 Dependent packages
24,884 Dependent repositories

Affected Version Ranges

All affected versions

2.0.0, 2.0.2, 2.0.4, 2.1.0, 2.1.2, 2.1.4, 2.1.6, 2.1.7, 2.1.8, 2.1.9

All unaffected versions

2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.9.11, 2.9.12, 2.9.14, 2.9.15, 2.9.16, 2.9.17, 2.9.18, 2.9.19, 2.9.20, 2.9.21, 2.9.22, 2.9.23, 2.9.24, 2.9.25, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 2.10.8, 2.10.9, 2.10.10, 2.10.11, 2.10.12, 2.10.14, 2.10.15, 2.10.16, 2.10.17, 2.10.18, 2.10.19, 2.10.20, 2.10.21, 2.10.22, 2.10.23, 2.10.24, 2.10.25, 2.10.26, 2.10.27, 2.10.28, 2.10.29, 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6
go:github.com/nats-io/nats-server < 2.2.0 2.2.0
152 Dependent packages
201 Dependent repositories

Affected Version Ranges

All affected versions

0.5.1, 0.5.2, 0.5.4, 0.5.6, 0.6.0, 0.6.2, 0.6.4, 0.6.6, 0.6.8, 0.7.0, 0.7.2, 0.8.0, 0.8.1, 0.9.2, 0.9.4, 0.9.6, 1.0.0, 1.0.2, 1.0.4, 1.0.6, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.4.1

All unaffected versions

This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers - Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention. Those who are running such services are encouraged to build regularly from git.

References:

Identifiers

GHSA-m4jx-6526-vvhm

CVE-2020-28466

Risk

Severity

High

EPSS

EPSS Percentage: 0.08427

EPSS Percentile: 0.91537

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/nats-io/nats-server

Date and time

Published

over 3 years ago

Updated

almost 2 years ago

API

JSON