CVE-2021-32026

Description

NATS server TLS missing ciphersuite settings when CLI flags used in github.com/nats-io/nats-server

How to fix CVE-2021-32026

To remediate CVE-2021-32026, upgrade the affected package to a fixed version below.

• Go/github.com/nats-io/nats-server—no fix listed
• Go/github.com/nats-io/nats-server/v2—upgrade to 2.2.3 or later
• Go/github.com/nats-io/nats-server/v2—upgrade to 2.2.3 or later

Is CVE-2021-32026 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2021-32026.

Affected packages (3)

• from 0
• from 0, < 2.2.3
• from 0, < 2.2.3

References (5)

• PATCHgithub.com/nats-io/nats-server
• WEBadvisories.nats.io
• WEBadvisories.nats.io/CVE/CVE-2021-32026.txt
• WEBgithub.com/nats-io/nats-server/commit/ffccc2e1bd7aa2466bd9e631e976bfd7ca46f225
• WEB