    github.com/nats-io/nats-server/v2 2.12.5 (golang)
pkg:golang/github.com/nats-io/nats-server@2.12.5#v2
 Plaintext Storage of a Password
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 8.6 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N | | EPSS Score | 0.033% | | EPSS Percentile | 10th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
Ensure monitoring end-points are adequately secured.
Best practice remains to not expose the monitoring endpoint to the Internet or other untrusted network users.
 Improper Input Validation
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 7.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | | EPSS Score | 0.114% | | EPSS Percentile | 30th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers.
Problem Description
A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
- Disable leafnode support if not needed.
- Restrict network connections to your leafnode port, if plausible without compromising the service offered.
References
 Insertion of Sensitive Information Into Debugging Code
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 7.4 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N | | EPSS Score | 0.030% | | EPSS Percentile | 8th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file.
Problem Description
If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those credentials are visible to any user who can see the monitoring port, if that too is enabled.
The /debug/vars end-point contains an unredacted copy of argv.
Patches
Fixed in nats-server 2.12.6 & 2.11.15
Workarounds
The NATS Maintainers are bemused at the concept of someone deploying a real configuration using --pass to avoid a config file, but also enabling monitoring.
Configure credentials inside a configuration file instead of via argv.
Do not enable the monitoring port if using secrets in argv.
Best practice remains to not expose the monitoring port to the Internet, or to untrusted network sources.
 Incorrect Authorization
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 7.1 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N | | EPSS Score | 0.024% | | EPSS Percentile | 7th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Improper Authentication
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 6.5 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:L | | EPSS Score | 0.011% | | EPSS Percentile | 1st percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server provides an MQTT client interface.
Problem Description
Sessions and Messages can by hijacked via MQTT Client ID malfeasance.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
Resources
 Improper Authentication
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 6.4 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N | | EPSS Score | 0.023% | | EPSS Percentile | 6th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. NATS messages can have headers.
Problem Description
The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their own decisions on how to trust a message, provided that they trust the nats-server as a broker.
A leafnode connecting to a nats-server is not fully trusted unless the system account is bridged too. Thus identity claims should not have propagated unchecked.
Thus NATS clients relying upon the Nats-Request-Info: header could be spoofed.
Does not directly affect the nats-server itself, but the CVSS Confidentiality and Integrity scores are based upon what a hypothetical client might choose to do with this NATS header.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Authentication Bypass by Spoofing
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 6.4 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N | | EPSS Score | 0.023% | | EPSS Percentile | 6th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a Nats-Request-Info: message header, providing information about a request.
Problem Description
The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective.
An attacker with valid credentials for any regular client interface could thus spoof their identity to services which rely upon this header.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Allocation of Resources Without Limits or Throttling
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 5.3 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | | EPSS Score | 0.066% | | EPSS Percentile | 20th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients.
Problem Description
A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data.
This is a milder variant of NATS-advisory-ID 2026-02 (aka CVE-2026-27571; GHSA-qrvq-68c2-7grw).
That earlier issue was a compression bomb, this vulnerability is not. Attacks against this new issue thus require significant client bandwidth.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
Disable websockets if not required for project deployment.
 Improper Authorization
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 4.9 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N | | EPSS Score | 0.019% | | EPSS Percentile | 5th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore.
Problem Description
Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
If developers have configured users to have limited JetStream restore permissions, temporarily remove those permissions.
 Incorrect Authorization
| Affected range | >=2.12.0-preview.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 4.3 | | CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N | | EPSS Score | 0.024% | | EPSS Percentile | 6th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
The nats-server supports telemetry on messages, using the per-message NATS headers.
Problem Description
A valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission.
The payload is a valid trace message and not chosen by the attacker.
Affected Versions
Any version before v2.12.6 or v2.11.15
Workarounds
None.
 Improper Authentication
| Affected range | >=2.12.0-RC.1
<2.12.6
| | Fixed version | 2.12.6 | | CVSS Score | 4.2 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N | | EPSS Score | 0.018% | | EPSS Percentile | 5th percentile |
Description
Background
NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing.
One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate.
Problem Description
When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing for authentication bypass.
This does require a valid certificate from a CA already trusted for client certificates, and DN naming patterns which the NATS maintainers consider highly unlikely.
So this is an unlikely attack. Nonetheless, administrators who have been very sophisticated in their DN construction patterns might conceivably be impacted.
Affected Versions
Fixed in nats-server 2.12.6 & 2.11.15
Workarounds
Developers should review their CA issuing practices.
|
  github.com/docker/docker 28.5.2+incompatible (golang)
pkg:golang/github.com/docker/docker@28.5.2%2Bincompatible
 Incorrect Authorization
| Affected range | <29.3.1 | | Fixed version | Not Fixed | | CVSS Score | 8.8 | | CVSS Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Description
Summary
A security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ) under specific circumstances. The base likelihood of this being exploited is low.
This is an incomplete fix for CVE-2024-41110.
Impact
If you don't use AuthZ plugins, you are not affected.
Using a specially-crafted API request, an attacker could make the Docker daemon forward the request to an authorization plugin without the body. The authorization plugin may allow a request which it would have otherwise denied if the body had been forwarded to it.
Anyone who depends on authorization plugins that introspect the request body to make access control decisions is potentially impacted.
Workarounds
If unable to update immediately:
- Avoid using AuthZ plugins that rely on request body inspection for security decisions.
- Restrict access to the Docker API to trusted parties, following the principle of least privilege.
Credits
Resources
 Off-by-one Error
| Affected range | <29.3.1 | | Fixed version | Not Fixed | | CVSS Score | 6.8 | | CVSS Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
Description
Summary
A security vulnerability has been detected that allows plugins privilege validation to be bypassed during docker plugin install. Due to an error in the daemon's privilege comparison logic, the daemon may incorrectly accept a privilege set that differs from the one approved by the user.
Plugins that request exactly one privilege are also affected, because no comparison is performed at all.
Impact
If plugins are not in use, there is no impact.
When a plugin is installed, the daemon computes the privileges required by the plugin's configuration and compares them with the privileges approved during installation. A malicious plugin can exploit this bug so that the daemon accepts privileges that differ from what was intended to be approved.
Anyone who depends on the plugin installation approval flow as a meaningful security boundary is potentially impacted.
Depending on the privilege set involved, this may include highly sensitive plugin permissions such as broad device access.
For consideration: exploitation still requires a plugin to be installed from a malicious source, and Docker plugins are relatively uncommon. Docker Desktop also does not support plugins.
Workarounds
If unable to update immediately:
- Do not install plugins from untrusted sources
- Carefully review all privileges requested during
docker plugin install
- Restrict access to the Docker daemon to trusted parties, following the principle of least privilege
- Avoid relying on plugin privilege approval as the only control boundary for sensitive environments
Credits
|
github.com/go-git/go-git/v5 
