Description
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny evaluation could override the plain subject deny result when the queue name itself was not denied. This issue is fixed in versions 2.14.0, 2.12.7, and 2.11.16.
Problem types
CWE-285: Improper Authorization
Product status
>= 2.12.0-RC.1, < 2.12.7
References
github.com/...server/security/advisories/GHSA-jx8g-9g95-6322
github.com/...ommit/013586288078def45a6788096924eb4d150db65c
github.com/...ommit/79c2f6e9ff87f594596337b6427dda85c38d1fe1
github.com/...ommit/b9ffb63b85e7db3d25a13b2e234f5f7f7c13164d
github.com/nats-io/nats-server/releases/tag/v2.11.16
github.com/nats-io/nats-server/releases/tag/v2.12.7
github.com/nats-io/nats-server/releases/tag/v2.14.0