x/vulndb: potential Go vuln in github.com/nats-io/nats-streaming-server: GHSA-2h2x-8hh2-mfq8

[GoVulnBot]

Advisory GHSA-2h2x-8hh2-mfq8 references a vulnerability in the following Go modules:

Module
github.com/nats-io/nats-streaming-server

Description:
NATS.io NATS Server before 2.8.2 and Streaming Server before 0.24.6 could allow a remote attacker to bypass security restrictions, caused by the failure to enforce negative user permissions in one scenario. By using a queue subscription on the wildcard, an attacker could exploit this vulnerability to allow denied subjects.

References:

• ADVISORY: GHSA-2h2x-8hh2-mfq8
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2022-29946
• WEB: https://github.com/nats-io/advisories/blob/main/CVE/CVE-2022-29946.txt

Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/nats-io/nats-streaming-server
      versions:
        - fixed: 0.24.6
      non_go_versions:
        - fixed: 2.8.2
      vulnerable_at: 0.24.5
summary: |-
    NATS Server and Streaming Server fails to enforce negative user permissions, may
    allow denied subjects in github.com/nats-io/nats-streaming-server
cves:
    - CVE-2022-29946
ghsas:
    - GHSA-2h2x-8hh2-mfq8
references:
    - advisory: https://github.com/advisories/GHSA-2h2x-8hh2-mfq8
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2022-29946
    - web: https://github.com/nats-io/advisories/blob/main/CVE/CVE-2022-29946.txt
source:
    id: GHSA-2h2x-8hh2-mfq8
    created: 2024-07-12T14:01:52.973109458Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/597995 mentions this issue: data/reports: add 3 reports