CVE-2022-26652 — Arbitrary file write in nats-server in github.com/nats-io/nats-server

Description

NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.

How to fix CVE-2022-26652

To remediate CVE-2022-26652, upgrade the affected package to a fixed version below.

Bitnami/nats—upgrade to 2.7.4 or later
—no fix listed
—upgrade to 2.7.4 or later
—upgrade to 2.7.4 or later
—upgrade to 0.24.3 or later
—upgrade to 0.24.3 or later

Is CVE-2022-26652 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

>= 2.2.0, < 2.7.4
from 0
>= 2.2.0, < 2.7.4
>= 2.2.0, < 2.7.4
>= 0.15.0, < 0.24.3
>= 0.15.0, < 0.24.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References (9)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-26652
PATCHgithub.com/nats-io/nats-server
WEBadvisories.nats.io/CVE/CVE-2022-26652.txt
WEBgithub.com/nats-io/nats-server/pull/2917
WEBgithub.com