CVE-2022-26652: 
vulnerability analysis and mitigation

NATS.io, a high-performance open-source pub-sub distributed communication technology, was found to contain a vulnerability (CVE-2022-26652) affecting versions 2.2.0 through 2.7.3 of the nats-server and versions 0.15.0 through 0.24.2 of the nats-streaming-server. The vulnerability was discovered on March 7, 2022, by Yiming Xiang from TIANJI LAB of NSFOCUS and was publicly disclosed on March 9, 2022 (NATS Advisory, OSS Security).

The vulnerability allows for arbitrary file write access through the JetStream streams backup and restore functionality. The backup format uses a tar archive file, but inadequate checks on the filenames within the archive permit a "Zip Slip" attack during stream restore operations. The server fails to properly sanitize elements of the archive file, enabling users to write arbitrary content to attacker-controlled filenames. The vulnerability has been assigned a CVSS v3 Base Score of 6.5 (Medium) with an attack vector of Network, low attack complexity, and low privileges required (AttackerKB).

When exploited, this vulnerability allows an attacker with access to JetStream functionality to write arbitrary files to the system, potentially leading to system compromise through the manipulation of critical files. The impact is particularly significant in environments where JetStream is enabled for untrusted users (NATS Advisory).

Several mitigation options are available: 1) Upgrade the NATS server to version 2.7.4 or later, which contains the fix. 2) Disable JetStream for untrusted users. 3) Implement appropriate sandboxing techniques, such as running NATS as an unprivileged user with systemd's ProtectSystem=strict and PrivateTmp=true restrictions, limiting the impact to the JetStream storage area only. The util/nats-server-hardened.service configuration is recommended for secure deployment (NATS Advisory).