Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass

[Phil Pennock <oss-security-phil () spodhuis org>]

On 2023-10-28 at 17:51 +0200, Salvatore Bonaccorso wrote:
> On Thu, Oct 12, 2023 at 10:39:53PM -0400, Phil Pennock wrote:
> > [ CVE has been requested, still waiting for assignment, so we're just
> >   inventing our own in-house numbering for advisories; we'll make sure
> >   this one continues to work after the CVE is issued ]
> >
> > NATS-advisory-ID: 2023-01
> > CVE: pending
> > Date: 2023-10-12
> > Fixed in: 2.9.23, 2.10.2
>
> While I see the later NATS-advisory-ID 2023-02 has a CVE assigned, for
> the 2023-01 was above with CVE pending. has one been assigned in
> meanwhile?

No.

For 2023-01 I went with our existing procedure and requested an
assignment from MITRE, just as in all prior cases.  I got the automated
acknowledgement (on Thursday 28th Sep, request ID 1532633).  I've yet to
get a CVE assignment.

So for the next one, I tried a new approach.  I filled out the GitHub
Security Advisory flow ahead of release, got a GHSA, and requested a CVE
immediately.  It looks like that was issued the next day.

Going forward, the NATS project will be using GitHub's processes for
requesting a CVE assignment.  Our documented procedures have been
updated.

I'm adjusting our published text format to have known aliases near the
top, to make it easier to cross-reference.  For NATS advisory 2023-01,
this is aka GHSA-fr2g-9hjm-wr23 and GO-2023-2133.

-Phil

Attachment: signature.asc
Description: