Adds CVE-2020-28466

2025-06-12 02:05:39 +00:00 · 2021-03-07 11:53:43 +02:00 · 2021-03-07 11:53:43 +02:00 · 4b8378bb43
commit 4b8378bb43
parent 967ca8ccd0
1 changed files with 76 additions and 4 deletions
--- a/2020/28xxx/CVE-2020-28466.json
+++ b/2020/28xxx/CVE-2020-28466.json
@ -3,16 +3,88 @@
    "data_format": "MITRE",
    "data_version": "4.0",
    "CVE_data_meta": {
+        "ASSIGNER": "report@snyk.io",
+        "DATE_PUBLIC": "2021-03-07T09:53:41.365005Z",
        "ID": "CVE-2020-28466",
-        "ASSIGNER": "cve@mitre.org",
-        "STATE": "RESERVED"
+        "STATE": "PUBLIC",
+        "TITLE": "Denial of Service (DoS)"
+    },
+    "affects": {
+        "vendor": {
+            "vendor_data": [
+                {
+                    "product": {
+                        "product_data": [
+                            {
+                                "product_name": "github.com/nats-io/nats-server/server",
+                                "version": {
+                                    "version_data": [
+                                        {
+                                            "version_affected": ">=",
+                                            "version_value": "0"
+                                        }
+                                    ]
+                                }
+                            }
+                        ]
+                    },
+                    "vendor_name": "n/a"
+                }
+            ]
+        }
+    },
+    "problemtype": {
+        "problemtype_data": [
+            {
+                "description": [
+                    {
+                        "lang": "eng",
+                        "value": "Denial of Service (DoS)"
+                    }
+                ]
+            }
+        ]
+    },
+    "references": {
+        "reference_data": [
+            {
+                "refsource": "CONFIRM",
+                "url": "https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMNATSIONATSSERVERSERVER-1042967"
+            },
+            {
+                "refsource": "CONFIRM",
+                "url": "https://github.com/nats-io/nats-server/pull/1731"
+            }
+        ]
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
-                "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
+                "value": "This affects all versions of package github.com/nats-io/nats-server/server.\n Untrusted accounts are able to crash the server using configs that represent a service export/import cycles. \r\n\r\n Disclaimer from the maintainers:\r\nRunning a NATS service which is exposed to\r\nuntrusted users presents a heightened risk.  Any remote execution flaw\r\nor equivalent seriousness, or denial-of-service by unauthenticated\r\nusers, will lead to prompt releases by the NATS maintainers.  Fixes\r\nfor denial of service issues with no threat of remote execution, when\r\nlimited to account holders, are likely to just be committed to the\r\nmain development branch with no special attention.  Those who are\r\nrunning such services are encouraged to build regularly from git.\n"
            }
        ]
-    }
+    },
+    "impact": {
+        "cvss": {
+            "version": "3.1",
+            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
+            "baseScore": 7.5,
+            "baseSeverity": "HIGH",
+            "attackVector": "NETWORK",
+            "attackComplexity": "LOW",
+            "privilegesRequired": "NONE",
+            "userInteraction": "NONE",
+            "scope": "UNCHANGED",
+            "confidentialityImpact": "NONE",
+            "integrityImpact": "NONE",
+            "availabilityImpact": "HIGH"
+        }
+    },
+    "credit": [
+        {
+            "lang": "eng",
+            "value": "derekcollison"
+        }
+    ]
 }