Fedora 38 FEDORA-2023-c33188f575 Critical NATS-Server Authentication Bypass

A High Performance NATS Server written in Go and hosted by the Cloud Native

Computing Foundation (CNCF).

Without any authorization rules in the nats-server, users can connect without authentication. Before nats-server 2.2.0, all authentication and authorization rules for a nats-server lived in an "authorization" block, defining users. With nats-server 2.2.0 all users live inside accounts. When using the authorization block, whose syntax predates this, those users will be placed into the implicit global account, "$G". Users inside accounts go into the newer "accounts" block. If an "accounts" block is defined, in simple deployment scenarios this is often used only to enable client access to the system account. When the only account added is the system account "$SYS", the nats-server would create an implicit user in "$G" and set it as the `no_auth_user` account, enabling the same "without authentication" logic as without any rules. This preserved the ability to connect simply, and then add one authenticated login for system access. But with an "authorization" block, th...