CVE-2023-47090

MEDIUM

NATS nats-server 2.2.0-2.9.22 and 2.10.0-2.10.1 - Unauthenticated Authentication Bypass via Implicit $G User

Title source: llm

Description

NATS nats-server before 2.9.23 and 2.10.x before 2.10.2 has an authentication bypass. An implicit $G user in an authorization block can sometimes be used for unauthenticated access, even when the intention of the configuration was for each user to have an account. The earliest affected version is 2.2.0.

References (3)

Core 3

Core References

Vendor Advisory

https://github.com/nats-io/nats-server/security/advisories/GHSA-fr2g-9hjm-wr23

Mailing List, Mitigation

https://www.openwall.com/lists/oss-security/2023/10/13/2

Mailing List mailing-list

http://www.openwall.com/lists/oss-security/2023/10/30/1

Scores

CVSS v3 6.5

EPSS 0.0026

EPSS Percentile 49.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

linuxfoundation/nats-server 2.2.0 - 2.9.23

nats-io/nats-server 2.2.0 - 2.9.23Go

Published Oct 30, 2023

Tracked Since Feb 18, 2026