Product
NATS.io MQTT ACL Bypass Vulnerability
2 rules 1 TTPA vulnerability in NATS.io versions before v2.12.6 or v2.11.15 allows MQTT clients to bypass ACL checks for MQTT subjects due to ACLs not being applied in the `$MQTT.>` namespace, potentially allowing unauthorized access and control of MQTT communications.
NATS Server MQTT Password Disclosure Vulnerability
3 rules 1 TTPThe NATS server exposes MQTT passwords in plaintext via monitoring endpoints due to incorrect classification as JWTs, affecting versions before v2.12.6 or v2.11.15.
NATS Server Credentials Exposure via Monitoring Port
3 rulesNATS servers configured with command-line credentials expose them through the `/debug/vars` endpoint on the monitoring port, affecting versions prior to 2.11.15 and between 2.12.0-RC.1 and 2.12.6, potentially leading to unauthorized access.
NATS Server Panic via Malicious Compression on Leafnode Port
2 rules 2 TTPs 1 IOCA vulnerability exists in NATS servers configured to accept leafnode connections where a malicious remote NATS server can trigger a server panic by exploiting compression negotiation on the leafnode port.
NATS Server Pre-Authentication Denial-of-Service via Leafnode Handling
2 rules 1 TTPA pre-authentication denial-of-service vulnerability exists in NATS servers before versions v2.12.6 and v2.11.15, allowing a remote client connected to the leafnode port to crash the server by sending a malformed message.