NATS-Server Missing Access Controls for JetStream API Management

A vulnerability exists in NATS-Server versions 2.2.0 prior to 2.10.27 and 2.11.1, allowing users with JetStream management permissions to access and manipulate JetStream assets across different accounts. This issue arises from certain JetStream API requests lacking proper access controls, enabling unauthorized administrative actions, including data destruction, on JetStream assets in other accounts. The vulnerability exploits the management of JetStream assets through messages in the '$JS.' subject namespace, which is partially exposed to regular accounts for asset management.

Impact

Exploitation of this vulnerability could lead to unauthorized administrative actions on JetStream assets in other accounts, including the total destruction of JetStream configuration and data, removal of servers from JetStream clusters, and unauthorized movement or cancellation of stream transfers between servers.

Reproduction

The vulnerability can be reproduced by creating multiple accounts with JetStream enabled, and then using an account to issue administrative commands via the unprotected JetStream APIs that affect assets in another account. This can be done by purging an account's streams or by moving streams between servers, demonstrating the lack of access controls and the cross-account impact of the vulnerability.

Remediation

Users are advised to upgrade NATS-Server to version 2.11.1 or 2.10.27.