Skip to main content
Version: latest

CVE-2023-46129

CVE Details

Visit the official vulnerability details page for CVE-2023-46129 to learn more.

Initial Publication

10/25/2024

Last Update

12/16/2024

Third Party Dependency

github.com/nats-io/nats-server/v2

NIST CVE Summary

NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing.
FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.

CVE Severity

7.5

Our Official Summary

This denial of service attack is reported on some third party containers used by the product. Risk of exploitation of this vulnerability for our products is low, since this requires attacker to have privileged access to the containers and do not allow arbitrary code to be run on them. Impact of exploitation is also low since containers have a limited attack surface. Third party containers in which this vulnerability is reported do not have an upstream fix. We will upgrade the images once the upstream fix becomes available.

Status

Ongoing

Affected Products & Versions

This CVE is non-impacting as the impacting symbol and/or function is not used in the product

Revision History

DateRevision
12/16/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.5.10, 4.5.11 to 4.5.4, 4.5.5, 4.5.8, 4.5.10, 4.5.11, 4.5.15
11/28/2024Official summary revised: This denial of service attack is reported on some third party containers used by the product. Risk of exploitation of this vulnerability for our products is low, since this requires attacker to have privileged access to the containers and do not allow arbitrary code to be run on them. Impact of exploitation is also low since containers have a limited attack surface. Third party containers in which this vulnerability is reported do not have an upstream fix. We will upgrade the images once the upstream fix becomes available.
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8, 4.5.10 to 4.5.4, 4.5.5, 4.5.8, 4.5.10, 4.5.11
11/15/2024Impacted versions changed from 4.5.4, 4.5.5, 4.5.8 to 4.5.4, 4.5.5, 4.5.8, 4.5.10
11/10/2024Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.5.8
10/27/2024Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5