CVE-2022-28357 – CVE-2022-28357 is a directory traversal vulnera... (How to Fix)

📋 TL;DR

CVE-2022-28357 is a directory traversal vulnerability in NATS nats-server that allows management accounts to access arbitrary files outside the intended directory. This affects NATS servers versions 2.2.0 through 2.7.4 with management accounts enabled. Attackers with management credentials can read sensitive files on the server.

💻 Affected Systems

Products:

NATS nats-server

Versions: 2.2.0 through 2.7.4

Operating Systems: All platforms running NATS server

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when management accounts are enabled in configuration. Default installations without management enabled are not vulnerable.

📦 What is this software?

Nats Server by Linuxfoundation

View all CVEs affecting Nats Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise via reading sensitive configuration files, credentials, or SSH keys leading to complete system takeover.

🟠

Likely Case

Unauthorized access to sensitive server files containing configuration data, credentials, or application data.

🟢

If Mitigated

Limited impact if management accounts are disabled or properly restricted with network controls.

🌐 Internet-Facing: HIGH - Internet-facing NATS servers with management enabled are directly exploitable.

🏢 Internal Only: MEDIUM - Internal servers still vulnerable to compromised management accounts or insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid management account credentials. Public proof-of-concept demonstrates file reading via path traversal.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.0 and later

Vendor Advisory: https://advisories.nats.io/CVE/CVE-2022-28357.txt

Restart Required: Yes

Instructions:

1. Download NATS server version 2.8.0 or later from https://github.com/nats-io/nats-server/releases
2. Stop the running NATS server
3. Replace the nats-server binary with the patched version
4. Restart the NATS server
5. Verify the version with 'nats-server -v'

🔧 Temporary Workarounds

Disable Management Accounts

all

Remove or disable management account configuration to eliminate the attack vector

Edit nats-server.conf and remove or comment out 'accounts' section with management permissions
Remove any 'management' account definitions from configuration

Network Access Control

linux

Restrict access to management endpoints using firewall rules

iptables -A INPUT -p tcp --dport 8222 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 8222 -j DROP

🧯 If You Can't Patch

Disable management accounts completely in configuration
Implement strict network segmentation to isolate NATS management endpoints from untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check if running NATS server version 2.2.0-2.7.4 AND management accounts are enabled in configuration

Check Version:

nats-server -v

Verify Fix Applied:

Verify nats-server version is 2.8.0 or higher with 'nats-server -v'

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in NATS logs
Multiple failed management authentication attempts followed by successful access

Network Indicators:

Unusual HTTP requests to management port (default 8222) with path traversal patterns like '../'

SIEM Query:

source="nats-server" AND (http_request="*..*" OR http_request="*%2e%2e*")

📊 Metadata

CVE ID: CVE-2022-28357

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: September 19, 2023

Last Updated: November 21, 2024

🔗 References

https://advisories.nats.io/CVE/CVE-2022-28357.txt Third Party Advisory
https://github.com/nats-io/nats-server/releases Release Notes
https://advisories.nats.io/CVE/CVE-2022-28357.txt Third Party Advisory
https://github.com/nats-io/nats-server/releases Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28357, you might also want to check these: