xkeys Seal encryption used fixed key for all encryption
CVE-2023-46129

7.5HIGH

Key Information:

Vendor: Nats-io
Status: Nkeys
Vendor: CVE Published:; 31 October 2023

What is CVE-2023-46129?

The NATS.io nkeys library introduced an encryption feature for authentication callouts but contained an implementation flaw. The logic passed an array by value into an internal function, leading to the population of the encryption key with an all-zeros value. Consequently, any data encrypted using this method was effectively unsecured, though the signing function remained unaffected. Users utilizing nkeys in conjunction with NATS Server versions 2.10.0 to 2.10.3 should update to nkeys library version 0.4.6 or later, as it addresses this critical encryption handling bug. There are no known workarounds, making prompt updates essential for maintaining security.

Affected Version(s)

nkeys >= 2.10.0, < 2.10.4 < 2.10.0, 2.10.4

nkeys >= 0.4.0, < 0.4.6 < 0.4.0, 0.4.6

References

https://github.com/nats-io/nkeys/security/advisories/GHSA...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2023/10/31/1

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 31, 2023
Vulnerability Reserved
Oct 16, 2023

Nats-io

What is CVE-2023-46129?

Affected Version(s)

References

CVSS V3.1

Timeline