Details of VAR-202103-0226

ID

VAR-202103-0226

CVE

CVE-2020-28466

TITLE

nats-server Vulnerability in

Trust: 0.8

sources: JVNDB: JVNDB-2020-016224

DESCRIPTION

This affects all versions of package github.com/nats-io/nats-server/server. Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. Disclaimer from the maintainers: Running a NATS service which is exposed to untrusted users presents a heightened risk. Any remote execution flaw or equivalent seriousness, or denial-of-service by unauthenticated users, will lead to prompt releases by the NATS maintainers. Fixes for denial of service issues with no threat of remote execution, when limited to account holders, are likely to just be committed to the main development branch with no special attention. Those who are running such services are encouraged to build regularly from git. nats-server Contains an unspecified vulnerability.Denial of service (DoS) It may be put into a state

Trust: 1.62

sources: NVD: CVE-2020-28466 // JVNDB: JVNDB-2020-016224

AFFECTED PRODUCTS

vendor:	nats	model:	server	scope:	lt	version:	2.2.0	Trust: 1.0
vendor:	nats	model:	server	scope:	gte	version:	2.0.0	Trust: 1.0
vendor:	nats	model:	server	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2020-016224 // NVD: CVE-2020-28466

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-28466
value:	HIGH
Trust: 1.0
report@snyk.io:	CVE-2020-28466
value:	HIGH
Trust: 1.0
NVD:	CVE-2020-28466
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-202103-538
value:	HIGH
Trust: 0.6

nvd@nist.gov:	CVE-2020-28466
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

nvd@nist.gov:	CVE-2020-28466
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 2.0
OTHER:	JVNDB-2020-016224
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2020-016224 // CNNVD: CNNVD-202103-538 // NVD: CVE-2020-28466 // NVD: CVE-2020-28466

PROBLEMTYPE DATA

problemtype:	NVD-CWE-noinfo	Trust: 1.0
problemtype:	Lack of information (CWE-noinfo) [NVD Evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2020-016224 // NVD: CVE-2020-28466

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202103-538

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202103-538

PATCH

title:

[FIXED] Detect service import cycles. #1731

url:

https://github.com/nats-io/nats-server/pull/1731

Trust: 0.8

sources: JVNDB: JVNDB-2020-016224

EXTERNAL IDS

db:	NVD	id:	CVE-2020-28466	Trust: 2.4
db:	OPENWALL	id:	OSS-SECURITY/2021/03/16/1	Trust: 1.6
db:	OPENWALL	id:	OSS-SECURITY/2021/03/16/2	Trust: 1.6
db:	JVNDB	id:	JVNDB-2020-016224	Trust: 0.8
db:	CNNVD	id:	CNNVD-202103-538	Trust: 0.6

sources: JVNDB: JVNDB-2020-016224 // CNNVD: CNNVD-202103-538 // NVD: CVE-2020-28466

REFERENCES

url:	https://snyk.io/vuln/snyk-golang-githubcomnatsionatsserverserver-1042967	Trust: 2.4
url:	https://github.com/nats-io/nats-server/pull/1731	Trust: 1.6
url:	http://www.openwall.com/lists/oss-security/2021/03/16/1	Trust: 1.6
url:	http://www.openwall.com/lists/oss-security/2021/03/16/2	Trust: 1.6
url:	https://nvd.nist.gov/vuln/detail/cve-2020-28466	Trust: 1.4

sources: JVNDB: JVNDB-2020-016224 // CNNVD: CNNVD-202103-538 // NVD: CVE-2020-28466

SOURCES

db:	JVNDB	id:	JVNDB-2020-016224
db:	CNNVD	id:	CNNVD-202103-538
db:	NVD	id:	CVE-2020-28466

LAST UPDATE DATE

2024-11-23T22:37:04.206000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2020-016224	date:	2021-11-15T07:01:00
db:	CNNVD	id:	CNNVD-202103-538	date:	2021-05-11T00:00:00
db:	NVD	id:	CVE-2020-28466	date:	2024-11-21T05:22:51.347

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2020-016224	date:	2021-11-15T00:00:00
db:	CNNVD	id:	CNNVD-202103-538	date:	2021-03-07T00:00:00
db:	NVD	id:	CVE-2020-28466	date:	2021-03-07T10:15:12.957