x/vulndb: potential Go vuln in github.com/nats-io/nats-server: CVE-2022-26652 #351

GoVulnBot · 2022-03-10T18:04:47Z

In CVE-2022-26652, the reference URL github.com/nats-io/nats-server (and possibly others) refers to something in Go.

module: github.com/nats-io/nats-server
package: n/a
description: |
    NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.
cves:
  - CVE-2022-26652
links:
    context:
      - http://www.openwall.com/lists/oss-security/2022/03/10/1
      - https://advisories.nats.io/CVE/CVE-2022-26652.txt
      - https://github.com/nats-io/nats-server/releases
      - https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68

See doc/triage.md for instructions on how to triage this report.

The text was updated successfully, but these errors were encountered:

neild · 2022-03-14T18:58:09Z

This a bug in the nast-server daemon, not a user-imported package.

gopherbot · 2024-06-14T19:53:22Z

Change https://go.dev/cl/592767 mentions this issue: data/reports: unexclude 50 reports

gopherbot · 2024-08-20T19:43:02Z

Change https://go.dev/cl/607216 mentions this issue: data/reports: unexclude 20 reports (14)

- data/reports/GO-2022-0314.yaml - data/reports/GO-2022-0315.yaml - data/reports/GO-2022-0325.yaml - data/reports/GO-2022-0328.yaml - data/reports/GO-2022-0329.yaml - data/reports/GO-2022-0339.yaml - data/reports/GO-2022-0340.yaml - data/reports/GO-2022-0342.yaml - data/reports/GO-2022-0344.yaml - data/reports/GO-2022-0348.yaml - data/reports/GO-2022-0350.yaml - data/reports/GO-2022-0351.yaml - data/reports/GO-2022-0353.yaml - data/reports/GO-2022-0354.yaml - data/reports/GO-2022-0357.yaml - data/reports/GO-2022-0358.yaml - data/reports/GO-2022-0359.yaml - data/reports/GO-2022-0360.yaml - data/reports/GO-2022-0363.yaml - data/reports/GO-2022-0365.yaml Updates #314 Updates #315 Updates #325 Updates #328 Updates #329 Updates #339 Updates #340 Updates #342 Updates #344 Updates #348 Updates #350 Updates #351 Updates #353 Updates #354 Updates #357 Updates #358 Updates #359 Updates #360 Updates #363 Updates #365 Change-Id: I88cff49c8c254ce8df68a3fb336657e69cb8ed58 Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/607216 Commit-Queue: Tatiana Bradley <tatianabradley@google.com> Auto-Submit: Tatiana Bradley <tatianabradley@google.com> Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

julieqiu assigned neild Mar 14, 2022

julieqiu added the cve-year-2022 label Mar 14, 2022

neild closed this as completed Mar 14, 2022

neild added the NotGoVuln label Mar 16, 2022

neild added excluded: EFFECTIVELY_PRIVATE This vulnerability exists in a package can be imported, but isn't meant to be outside that module. and removed NotGoVuln labels Aug 11, 2022

GoVulnBot mentioned this issue Sep 19, 2023

x/vulndb: potential Go vuln in github.com/nats-io/nats-server: CVE-2022-28357 #2066

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

x/vulndb: potential Go vuln in github.com/nats-io/nats-server: CVE-2022-26652 #351

x/vulndb: potential Go vuln in github.com/nats-io/nats-server: CVE-2022-26652 #351

GoVulnBot commented Mar 10, 2022

neild commented Mar 14, 2022

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024

x/vulndb: potential Go vuln in github.com/nats-io/nats-server: CVE-2022-26652 #351

x/vulndb: potential Go vuln in github.com/nats-io/nats-server: CVE-2022-26652 #351

Comments

GoVulnBot commented Mar 10, 2022

neild commented Mar 14, 2022

gopherbot commented Jun 14, 2024

gopherbot commented Aug 20, 2024