Subject: Negative user permissions not enforced in one scenario NATS-advisory-ID: 2022-04 CVE: CVE-2022-29946 Date: 2022-05-04 Fixed-In: nats-server 2.8.2; nats-streaming-server 0.24.6 Background: NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. NATS supports users (optionally within accounts) and users can have ACL rules restricting their access to NATS subjects. The ACLs can be in server configuration or in the user JWT signed by an account signing key. Problem Description: If an ACL for a user includes a positive permission to subscribe to a wildcard subject and a negative permission to a particular subject which is matched by that wildcard, then in some situations a queue subscriber to the wildcard would receive the messages on the subject which is configured to be denied. Thus the ability to subscribe to that subject was correctly enforced, but the implicit ability to receive that subject via a queue subscription on the wildcard did not receive an implicit filter to hide the denied subjects. Affected versions: NATS Server: * 2.0.0 up to and including 2.8.1. * Fixed with nats-io/nats-server: 2.8.2 * Docker image: nats NATS Streaming Server * 0.15.0 up to and including 0.24.5 * Fixed with nats-io/nats-streaming-server: 0.24.6 Workarounds: Recraft user permission rules to only add access, never try to deny it. Solution: Upgrade the NATS server to at least 2.8.2. Credits: This issue was discovered internally by a NATS Maintainer. There is no evidence known to us that this has been exploited. References: * This document is canonically: * MITRE CVE entry: