Bug 2052573 (CVE-2022-24450)
| Summary: | CVE-2022-24450 nats-server: misusing the "dynamically provisioned sandbox accounts" feature authenticated user can obtain the privileges of the System account | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vipul Nair <vinair> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | eclipseo, go-sig, gparvin, hershellasagna, jramanat, njean, pahickey, stcannon |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nats-server 2.7.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the NATS nats-server in an experimental feature that provides dynamically provisioned sandbox accounts that do not check the clients’ authorization. This flaw allows an attacker to take advantage of its valid account and switch over to another existing account without further authentication.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-08-29 19:55:54 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2056579, 2057850, 2057852, 2057853, 2057854, 2057855, 2057856, 2057857, 2057858, 2057859, 2057860, 2057861, 2057862, 2057863, 2057864, 2057865, 2057866, 2057867, 2057868, 2057869, 2057870, 2057871, 2057872, 2057873, 2057874, 2057875, 2057876, 2076696, 2076697, 2076698, 2076700, 2085276, 2085284, 2085285, 2085286, 2085328, 2087267, 2092161 | ||
| Bug Blocks: | 2052502 | ||
|
Description
Vipul Nair
2022-02-09 15:18:41 UTC
Created nats-server tracking bugs for this issue: Affects: fedora-all [bug 2056579] This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1476 https://access.redhat.com/errata/RHSA-2022:1476 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:1681 https://access.redhat.com/errata/RHSA-2022:1681 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8 Via RHSA-2022:4956 https://access.redhat.com/errata/RHSA-2022:4956 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:5201 https://access.redhat.com/errata/RHSA-2022:5201 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8 Via RHSA-2022:5531 https://access.redhat.com/errata/RHSA-2022:5531 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-24450 The sandbox is perfect for immediate access into OpenShift, but how can you start practicing your skills in this context if you don’t have a starting point yet? Well, we’ve taken care of that for you with a curated series of use case-based activities that you can complete in the sandbox. https://www.gta-portal.com/ |