{"id":"CVE-2022-26652","details":"NATS nats-server before 2.7.4 allows Directory Traversal (with write access) via an element in a ZIP archive for JetStream streams. nats-streaming-server before 0.24.3 is also affected.","aliases":["BIT-nats-2022-26652","GHSA-6h3m-36w8-hv68","GO-2022-0351"],"modified":"2026-04-02T07:55:47.361864Z","published":"2022-03-10T17:47:51.470Z","related":["GHSA-6h3m-36w8-hv68"],"references":[{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2022/03/10/1"},{"type":"ADVISORY","url":"https://advisories.nats.io/CVE/CVE-2022-26652.txt"},{"type":"ADVISORY","url":"https://github.com/nats-io/nats-server/releases"},{"type":"ADVISORY","url":"https://github.com/nats-io/nats-server/security/advisories/GHSA-6h3m-36w8-hv68"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nats-io/nats-server","events":[{"introduced":"0e3c7230e4b7c85795592f74a62351f6fe22fcbd"},{"fixed":"a86b84a9f35168973d910f462b8d03f77699b34f"}],"database_specific":{"versions":[{"introduced":"2.2.0"},{"fixed":"2.7.4"}]}},{"type":"GIT","repo":"https://github.com/nats-io/nats-streaming-server","events":[{"introduced":"2a67132e38c3fb3ace0bb2b8c0a71d8f08380e67"},{"fixed":"4202e6a727aa32e638e6ce205c0bc054e74b4643"}],"database_specific":{"versions":[{"introduced":"0.15.0"},{"fixed":"0.24.3"}]}}],"versions":["v0.15.0","v0.15.1","v0.16.0","v0.16.2","v0.17.0","v0.18.0","v0.19.0","v0.20.0","v0.21.0","v0.21.1","v0.21.2","v0.22.0","v0.22.1","v0.23.0","v0.23.1","v0.23.2","v0.24.0","v0.24.1","v0.24.2","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.3.0","v2.3.1","v2.3.2","v2.3.3","v2.3.4","v2.4.0","v2.5.0","v2.6.0","v2.6.1","v2.6.2","v2.6.3","v2.6.4","v2.6.5","v2.6.6","v2.7.0","v2.7.0-rc1","v2.7.0-rc2","v2.7.1","v2.7.2","v2.7.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-26652.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}