A Mass assignment vulnerability was found allowing a non-admin user to escalate privileges to admin user.
Issue is patched in 0.17.1, and fixed in 0.18.6+.
If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch them to the patched users
If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later.
If using 0.17.1, can just pull the latest docker image of backend and restart server.
Credit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery
| Score | Percentile |
|---|---|
| 0.55% | 67.50% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.8 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-826j-8wp2-4x6q ↗ |
| CVE | CVE-2023-32079 ↗ |
| CWE id | Name |
|---|---|
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| go | github.com/gravitl/netmaker | < 0.17.1 | 0.17.1 | — |
| go | github.com/gravitl/netmaker | >= 0.18.0, < 0.18.6 | 0.18.6 | — |