CVE-2022-29946
Authorization Bypass vulnerability in v2 (Go)

Authorization Bypass No known exploit

What is CVE-2022-29946 About?

This NATS Server and Streaming Server vulnerability allows denied subjects to bypass negative user permissions. This can lead to unauthorized access to messages or services, and is likely easy to exploit if an attacker knows the intended denial policies.

Affected Software

  • github.com/nats-io/nats-server/v2
    • <2.8.2
  • github.com/nats-io/nats-streaming-server
    • <0.24.6

Technical Details

The NATS Server and Streaming Server (github.com/nats-io/nats-server) fails to correctly enforce negative user permissions. This means that even if a subject (e.g., a topic or queue name) is explicitly denied to a user, the server may mistakenly allow that user to publish or subscribe to it. This flaw typically arises from an incorrect authorization logic implementation where the 'deny' rules are not evaluated or applied before 'allow' rules, or where the 'deny' mechanism is simply broken, leading to an authorization bypass for specifically denied subjects.

What is the Impact of CVE-2022-29946?

Successful exploitation may allow attackers to access or publish to subjects they are explicitly denied permission for, leading to unauthorized information disclosure, message tampering, or service disruption within the NATS ecosystem.

What is the Exploitability of CVE-2022-29946?

Exploitation of this vulnerability is of low complexity. An authenticated attacker who is aware of specific subjects they are supposed to be denied access to can attempt to interact with those subjects. The only prerequisite is an authenticated NATS user account. This is a remote exploitation scenario, requiring network access to the NATS server. The primary risk factor is the broken authorization mechanism, which undermines the intended security policies and makes it easier for an authenticated attacker to gain unauthorized access.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2022-29946?

Available Upgrade Options

  • github.com/nats-io/nats-streaming-server
    • <0.24.6 → Upgrade to 0.24.6
  • github.com/nats-io/nats-server/v2
    • <2.8.2 → Upgrade to 2.8.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2022-29946?

Similar Vulnerabilities: CVE-2023-39325 , CVE-2023-39327 , CVE-2023-44487 , CVE-2022-23530 , CVE-2021-3829

All Rights reserved 2025
Privacy Policy