{"url":"http://public2.vulnerablecode.io/api/packages/44084?format=json","purl":"pkg:deb/debian/golang-github-nats-io-nkeys@0?distro=trixie","type":"deb","namespace":"debian","name":"golang-github-nats-io-nkeys","version":"0","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"0.0~git20181103.f9a6cff-1.1","latest_non_vulnerable_version":"0.4.15-1","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/132566?format=json","vulnerability_id":"VCID-zd5j-3vyt-yqf3","summary":"NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. In nkeys versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3, the nkeys library's `xkeys` encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing.  \nFIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. nkeys Go library 0.4.6, corresponding with NATS Server 2.10.4, has a patch for this issue. No known workarounds are available. For any application handling auth callouts in Go, if using the nkeys library, update the dependency, recompile and deploy that in lockstep.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46129.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46129.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46129","reference_id":"","reference_type":"","scores":[{"value":"0.00149","scoring_system":"epss","scoring_elements":"0.35224","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-46129"},{"reference_url":"https://github.com/nats-io/nkeys","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nats-io/nkeys"},{"reference_url":"https://github.com/nats-io/nkeys/commit/58fb9d69f42ea73fffad1d14e5914dc666f3daa1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/nats-io/nkeys/commit/58fb9d69f42ea73fffad1d14e5914dc666f3daa1"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46129","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-46129"},{"reference_url":"http://www.openwall.com/lists/oss-security/2023/10/31/1","reference_id":"1","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T21:50:00Z/"}],"url":"http://www.openwall.com/lists/oss-security/2023/10/31/1"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055010","reference_id":"1055010","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055010"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055011","reference_id":"1055011","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055011"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2246986","reference_id":"2246986","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2246986"},{"reference_url":"https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9","reference_id":"GHSA-mr45-rx8q-wcm9","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T21:50:00Z/"}],"url":"https://github.com/nats-io/nkeys/security/advisories/GHSA-mr45-rx8q-wcm9"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/","reference_id":"R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T21:50:00Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R3UETKPUB3V5JS5TLZOF3SMTGT5K5APS/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7663","reference_id":"RHSA-2023:7663","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7663"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/","reference_id":"ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-26T21:50:00Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULQQONMSCQSH5Z5OWFFQHCGEZ3NL4DRJ/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44084?format=json","purl":"pkg:deb/debian/golang-github-nats-io-nkeys@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-nats-io-nkeys@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/44085?format=json","purl":"pkg:deb/debian/golang-github-nats-io-nkeys@0.0~git20181103.f9a6cff-1.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-nats-io-nkeys@0.0~git20181103.f9a6cff-1.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/44083?format=json","purl":"pkg:deb/debian/golang-github-nats-io-nkeys@0.3.0-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-nats-io-nkeys@0.3.0-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/44087?format=json","purl":"pkg:deb/debian/golang-github-nats-io-nkeys@0.4.6-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-nats-io-nkeys@0.4.6-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/44088?format=json","purl":"pkg:deb/debian/golang-github-nats-io-nkeys@0.4.10-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-nats-io-nkeys@0.4.10-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/44086?format=json","purl":"pkg:deb/debian/golang-github-nats-io-nkeys@0.4.15-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-nats-io-nkeys@0.4.15-1%3Fdistro=trixie"}],"aliases":["CVE-2023-46129","GHSA-mr45-rx8q-wcm9"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-zd5j-3vyt-yqf3"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/golang-github-nats-io-nkeys@0%3Fdistro=trixie"}