data/reports: add GO-2025-3600

  - data/reports/GO-2025-3600.yaml

Fixes #3600

Change-Id: I17778f10a060e55078b2f3ce00d9eac7264176d3
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/664536
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Zvonimir Pavlinovic <zpavlinovic@google.com>
Auto-Submit: Neal Patel <nealpatel@google.com>

Author: thatnealpatel

data/osv/GO-2025-3600.json

@@ -0,0 +1,162 @@
+{
+  "schema_version": "1.3.1",
+  "id": "GO-2025-3600",
+  "modified": "0001-01-01T00:00:00Z",
+  "published": "0001-01-01T00:00:00Z",
+  "aliases": [
+    "CVE-2025-30215",
+    "GHSA-fhg8-qxh5-7q3w"
+  ],
+  "summary": "Missing ACLs on JavaScript APIs allowing privilege escalation github.com/nats-io/nats-server",
+  "details": "Missing",
+  "affected": [
+    {
+      "package": {
+        "name": "github.com/nats-io/nats-server/v2",
+        "ecosystem": "Go"
+      },
+      "ranges": [
+        {
+          "type": "SEMVER",
+          "events": [
+            {
+              "introduced": "2.2.0"
+            },
+            {
+              "fixed": "2.10.27"
+            },
+            {
+              "introduced": "2.11.0"
+            },
+            {
+              "fixed": "2.11.1"
+            }
+          ]
+        }
+      ],
+      "ecosystem_specific": {
+        "imports": [
+          {
+            "path": "github.com/nats-io/nats-server/v2/server",
+            "symbols": [
+              "Account.AddServiceImport",
+              "Account.AddServiceImportWithClaim",
+              "Account.DisableJetStream",
+              "Account.EnableJetStream",
+              "Account.RestoreStream",
+              "Account.TrackServiceExport",
+              "Account.TrackServiceExportWithSampling",
+              "Account.UnTrackServiceExport",
+              "CacheDirAccResolver.Reload",
+              "CacheDirAccResolver.Start",
+              "ConfigureOptions",
+              "DirAccResolver.Fetch",
+              "DirAccResolver.Reload",
+              "DirAccResolver.Start",
+              "DirAccResolver.Store",
+              "DirJWTStore.Merge",
+              "DirJWTStore.Pack",
+              "DirJWTStore.PackWalk",
+              "DirJWTStore.Reload",
+              "DirJWTStore.SaveAcc",
+              "DirJWTStore.SaveAct",
+              "New",
+              "NewCacheDirAccResolver",
+              "NewDirAccResolver",
+              "NewExpiringDirJWTStore",
+              "NewServer",
+              "Options.ProcessConfigFile",
+              "ProcessConfigFile",
+              "Run",
+              "Server.AcceptLoop",
+              "Server.AccountStatz",
+              "Server.Accountz",
+              "Server.ActivePeers",
+              "Server.Connz",
+              "Server.DisableJetStream",
+              "Server.DisconnectClientByID",
+              "Server.EnableJetStream",
+              "Server.Gatewayz",
+              "Server.HandleAccountStatz",
+              "Server.HandleAccountz",
+              "Server.HandleConnz",
+              "Server.HandleGatewayz",
+              "Server.HandleHealthz",
+              "Server.HandleIPQueuesz",
+              "Server.HandleSubsz",
+              "Server.HandleVarz",
+              "Server.InProcessConn",
+              "Server.Ipqueuesz",
+              "Server.JetStreamEnabledForDomain",
+              "Server.JetStreamIsStreamAssigned",
+              "Server.JetStreamIsStreamCurrent",
+              "Server.JetStreamSnapshotMeta",
+              "Server.JetStreamSnapshotStream",
+              "Server.JetStreamStepdownConsumer",
+              "Server.JetStreamStepdownStream",
+              "Server.LameDuckShutdown",
+              "Server.LookupAccount",
+              "Server.LookupOrRegisterAccount",
+              "Server.NumLoadedAccounts",
+              "Server.NumSubscriptions",
+              "Server.RegisterAccount",
+              "Server.Reload",
+              "Server.ReloadOptions",
+              "Server.SetDefaultSystemAccount",
+              "Server.SetSystemAccount",
+              "Server.Shutdown",
+              "Server.Start",
+              "Server.StartHTTPMonitoring",
+              "Server.StartHTTPSMonitoring",
+              "Server.StartMonitoring",
+              "Server.StartProfiler",
+              "Server.StartRouting",
+              "Server.Subsz",
+              "Server.UpdateAccountClaims",
+              "Server.Varz",
+              "client.RegisterNkeyUser",
+              "client.RegisterUser",
+              "clusterOption.Apply",
+              "leafNodeOption.Apply",
+              "maxConnOption.Apply",
+              "mqttMaxAckPendingReload.Apply",
+              "raft.AdjustClusterSize",
+              "raft.InstallSnapshot",
+              "raft.PauseApply",
+              "raft.ProposeKnownPeers",
+              "raft.ProposeRemovePeer",
+              "raft.ResumeApply",
+              "raft.SendSnapshot",
+              "raft.StepDown",
+              "raft.UpdateKnownPeers",
+              "routesOption.Apply"
+            ]
+          }
+        ]
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/nats-io/nats-server/security/advisories/GHSA-fhg8-qxh5-7q3w"
+    },
+    {
+      "type": "WEB",
+      "url": "https://advisories.nats.io/CVE/secnote-2025-01.txt"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/nats-io/nats-server/commit/3e7e4645a24e829a36b4210f2d7c34dea7f7a424"
+    }
+  ],
+  "credits": [
+    {
+      "name": "Thomas Morgan"
+    }
+  ],
+  "database_specific": {
+    "url": "https://pkg.go.dev/vuln/GO-2025-3600",
+    "review_status": "REVIEWED"
+  }
+}

data/reports/GO-2025-3600.yaml

@@ -0,0 +1,122 @@
+id: GO-2025-3600
+modules:
+    - module: github.com/nats-io/nats-server/v2
+      versions:
+        - introduced: 2.2.0
+        - fixed: 2.10.27
+        - introduced: 2.11.0
+        - fixed: 2.11.1
+      vulnerable_at: 2.10.26
+      packages:
+        - package: github.com/nats-io/nats-server/v2/server
+          symbols:
+            - ConfigureOptions
+            - New
+            - NewServer
+            - Options.ProcessConfigFile
+            - ProcessConfigFile
+            - Run
+            - Server.EnableJetStream
+            - Server.Reload
+            - Server.ReloadOptions
+            - Server.Start
+          derived_symbols:
+            - Account.AddServiceImport
+            - Account.AddServiceImportWithClaim
+            - Account.DisableJetStream
+            - Account.EnableJetStream
+            - Account.RestoreStream
+            - Account.TrackServiceExport
+            - Account.TrackServiceExportWithSampling
+            - Account.UnTrackServiceExport
+            - CacheDirAccResolver.Reload
+            - CacheDirAccResolver.Start
+            - DirAccResolver.Fetch
+            - DirAccResolver.Reload
+            - DirAccResolver.Start
+            - DirAccResolver.Store
+            - DirJWTStore.Merge
+            - DirJWTStore.Pack
+            - DirJWTStore.PackWalk
+            - DirJWTStore.Reload
+            - DirJWTStore.SaveAcc
+            - DirJWTStore.SaveAct
+            - NewCacheDirAccResolver
+            - NewDirAccResolver
+            - NewExpiringDirJWTStore
+            - Server.AcceptLoop
+            - Server.AccountStatz
+            - Server.Accountz
+            - Server.ActivePeers
+            - Server.Connz
+            - Server.DisableJetStream
+            - Server.DisconnectClientByID
+            - Server.Gatewayz
+            - Server.HandleAccountStatz
+            - Server.HandleAccountz
+            - Server.HandleConnz
+            - Server.HandleGatewayz
+            - Server.HandleHealthz
+            - Server.HandleIPQueuesz
+            - Server.HandleSubsz
+            - Server.HandleVarz
+            - Server.InProcessConn
+            - Server.Ipqueuesz
+            - Server.JetStreamEnabledForDomain
+            - Server.JetStreamIsStreamAssigned
+            - Server.JetStreamIsStreamCurrent
+            - Server.JetStreamSnapshotMeta
+            - Server.JetStreamSnapshotStream
+            - Server.JetStreamStepdownConsumer
+            - Server.JetStreamStepdownStream
+            - Server.LameDuckShutdown
+            - Server.LookupAccount
+            - Server.LookupOrRegisterAccount
+            - Server.NumLoadedAccounts
+            - Server.NumSubscriptions
+            - Server.RegisterAccount
+            - Server.SetDefaultSystemAccount
+            - Server.SetSystemAccount
+            - Server.Shutdown
+            - Server.StartHTTPMonitoring
+            - Server.StartHTTPSMonitoring
+            - Server.StartMonitoring
+            - Server.StartProfiler
+            - Server.StartRouting
+            - Server.Subsz
+            - Server.UpdateAccountClaims
+            - Server.Varz
+            - client.RegisterNkeyUser
+            - client.RegisterUser
+            - clusterOption.Apply
+            - leafNodeOption.Apply
+            - maxConnOption.Apply
+            - mqttMaxAckPendingReload.Apply
+            - raft.AdjustClusterSize
+            - raft.InstallSnapshot
+            - raft.PauseApply
+            - raft.ProposeKnownPeers
+            - raft.ProposeRemovePeer
+            - raft.ResumeApply
+            - raft.SendSnapshot
+            - raft.StepDown
+            - raft.UpdateKnownPeers
+            - routesOption.Apply
+summary: |-
+    Missing ACLs on JavaScript APIs allowing privilege escalation
+    github.com/nats-io/nats-server
+description: Missing
+cves:
+    - CVE-2025-30215
+ghsas:
+    - GHSA-fhg8-qxh5-7q3w
+credits:
+    - Thomas Morgan
+references:
+    - advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-fhg8-qxh5-7q3w
+    - web: https://advisories.nats.io/CVE/secnote-2025-01.txt
+    - fix: https://github.com/nats-io/nats-server/commit/3e7e4645a24e829a36b4210f2d7c34dea7f7a424
+source:
+    id: go-security-team
+    created: 2025-04-10T12:58:14.561598-04:00
+review_status: REVIEWED