oss-sec mailing list archives
Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass
From: Phil Pennock <oss-security-phil () spodhuis org>
Date: Mon, 30 Oct 2023 13:40:46 -0400
On 2023-10-29 at 15:51 -0400, Phil Pennock wrote:
On 2023-10-28 at 17:51 +0200, Salvatore Bonaccorso wrote:On Thu, Oct 12, 2023 at 10:39:53PM -0400, Phil Pennock wrote:[ CVE has been requested, still waiting for assignment, so we're just inventing our own in-house numbering for advisories; we'll make sure this one continues to work after the CVE is issued ] NATS-advisory-ID: 2023-01 CVE: pending Date: 2023-10-12 Fixed in: 2.9.23, 2.10.2While I see the later NATS-advisory-ID 2023-02 has a CVE assigned, for the 2023-01 was above with CVE pending. has one been assigned in meanwhile?No.
Now: yes. CVE-2023-47090 has been assigned today. My thanks to whomever gave the nudge. (Website will be updated as soon as GitHub has an action runner available to process the pages build). -Phil
Current thread:
- NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 13)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Salvatore Bonaccorso (Oct 28)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 29)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 30)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Phil Pennock (Oct 29)
- Re: NATS: 2023-01: Adding accounts for just the system account adds auth bypass Salvatore Bonaccorso (Oct 28)