Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
16 vulnerabilities found for netmaker by netmaker
CVE-2026-38651 (GCVE-0-2026-38651)
Vulnerability from nvd – Published: 2026-04-28 00:00 – Updated: 2026-04-28 17:34
VLAI
Summary
Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information
Severity
8.2 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-38651",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T17:34:36.148138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T17:34:42.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass/"
},
{
"tags": [
"exploit"
],
"url": "https://www.zyenra.com/blog/netmaker-jwt-verification-bypass"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T15:44:00.225Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79b"
},
{
"url": "https://www.zyenra.com/blog/netmaker-jwt-verification-bypass"
},
{
"url": "https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-38651",
"datePublished": "2026-04-28T00:00:00.000Z",
"dateReserved": "2026-04-06T00:00:00.000Z",
"dateUpdated": "2026-04-28T17:34:42.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29771 (GCVE-0-2026-29771)
Vulnerability from nvd – Published: 2026-03-07 15:14 – Updated: 2026-03-09 18:27
VLAI
Title
Netmaker: Denial of Service via Server Shutdown Endpoint
Summary
Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeatedly shut down the server, causing cyclic denial of service with approximately 3-second restart intervals. This issue has been patched in version 1.2.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-404 - Improper Resource Shutdown or Release
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29771",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T17:43:39.289015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T18:27:17.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeatedly shut down the server, causing cyclic denial of service with approximately 3-second restart intervals. This issue has been patched in version 1.2.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404: Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T15:14:38.361Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-rhr9-hgcm-x289",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-rhr9-hgcm-x289"
}
],
"source": {
"advisory": "GHSA-rhr9-hgcm-x289",
"discovery": "UNKNOWN"
},
"title": "Netmaker: Denial of Service via Server Shutdown Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29771",
"datePublished": "2026-03-07T15:14:38.361Z",
"dateReserved": "2026-03-04T16:26:02.897Z",
"dateUpdated": "2026-03-09T18:27:17.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32079 (GCVE-0-2023-32079)
Vulnerability from nvd – Published: 2023-08-24 22:03 – Updated: 2024-10-02 19:11
VLAI
Title
Netmaker Privilige Escalation Vulnerability
Summary
Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:29.193Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-826j-8wp2-4x6q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-826j-8wp2-4x6q"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T19:11:14.591343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T19:11:26.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.1"
},
{
"status": "affected",
"version": "\u003e= 0.18.0, \u003c 0.18.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-24T22:03:43.825Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-826j-8wp2-4x6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-826j-8wp2-4x6q"
}
],
"source": {
"advisory": "GHSA-826j-8wp2-4x6q",
"discovery": "UNKNOWN"
},
"title": "Netmaker Privilige Escalation Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32079",
"datePublished": "2023-08-24T22:03:43.825Z",
"dateReserved": "2023-05-01T16:47:35.315Z",
"dateUpdated": "2024-10-02T19:11:26.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32078 (GCVE-0-2023-32078)
Vulnerability from nvd – Published: 2023-08-24 21:35 – Updated: 2024-10-02 19:12
VLAI
Title
Netmaker IDOR Vulnerability Allows User to Update Other User's Password
Summary
Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
| https://github.com/gravitl/netmaker/pull/2158 | x_refsource_MISC |
| https://github.com/gravitl/netmaker/commit/b3be57… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4"
},
{
"name": "https://github.com/gravitl/netmaker/pull/2158",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/pull/2158"
},
{
"name": "https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T19:12:21.892908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T19:12:47.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.1"
},
{
"status": "affected",
"version": "\u003e= 0.18.0, \u003c 0.18.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user\u0027s username, it was possible to update the other user\u0027s password. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-24T22:02:05.475Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4"
},
{
"name": "https://github.com/gravitl/netmaker/pull/2158",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/pull/2158"
},
{
"name": "https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839"
}
],
"source": {
"advisory": "GHSA-256m-j5qw-38f4",
"discovery": "UNKNOWN"
},
"title": "Netmaker IDOR Vulnerability Allows User to Update Other User\u0027s Password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32078",
"datePublished": "2023-08-24T21:35:05.611Z",
"dateReserved": "2023-05-01T16:47:35.315Z",
"dateUpdated": "2024-10-02T19:12:47.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32077 (GCVE-0-2023-32077)
Vulnerability from nvd – Published: 2023-08-24 21:23 – Updated: 2024-10-02 19:14
VLAI
Title
Netmaker has Hardcoded DNS Secret Key
Summary
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
| https://github.com/gravitl/netmaker/pull/2170 | x_refsource_MISC |
| https://github.com/gravitl/netmaker/commit/1621c2… | x_refsource_MISC |
| https://github.com/gravitl/netmaker/commit/9362c3… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx"
},
{
"name": "https://github.com/gravitl/netmaker/pull/2170",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/pull/2170"
},
{
"name": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51"
},
{
"name": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T19:14:09.737338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T19:14:22.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.1"
},
{
"status": "affected",
"version": "\u003e= 0.18.0, \u003c 0.18.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-24T21:57:07.712Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx"
},
{
"name": "https://github.com/gravitl/netmaker/pull/2170",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/pull/2170"
},
{
"name": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51"
},
{
"name": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657"
}
],
"source": {
"advisory": "GHSA-8x8h-hcq8-jwwx",
"discovery": "UNKNOWN"
},
"title": "Netmaker has Hardcoded DNS Secret Key"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32077",
"datePublished": "2023-08-24T21:23:14.294Z",
"dateReserved": "2023-05-01T16:47:35.315Z",
"dateUpdated": "2024-10-02T19:14:22.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36110 (GCVE-0-2022-36110)
Vulnerability from nvd – Published: 2022-09-09 19:15 – Updated: 2025-04-23 17:12
VLAI
Title
Netmaker vulnerable to Insufficient Granularity of Access Control
Summary
Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
| https://github.com/gravitl/netmaker/releases/tag/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36110",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:49:24.565249Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:12:19.594Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.15.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T19:15:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1"
}
],
"source": {
"advisory": "GHSA-ggf6-638m-vqmg",
"discovery": "UNKNOWN"
},
"title": "Netmaker vulnerable to Insufficient Granularity of Access Control",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36110",
"STATE": "PUBLIC",
"TITLE": "Netmaker vulnerable to Insufficient Granularity of Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "netmaker",
"version": {
"version_data": [
{
"version_value": "\u003c 0.15.1"
}
]
}
}
]
},
"vendor_name": "gravitl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1220: Insufficient Granularity of Access Control"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg",
"refsource": "CONFIRM",
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg"
},
{
"name": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1",
"refsource": "MISC",
"url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1"
}
]
},
"source": {
"advisory": "GHSA-ggf6-638m-vqmg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36110",
"datePublished": "2022-09-09T19:15:12.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:12:19.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23650 (GCVE-0-2022-23650)
Vulnerability from nvd – Published: 2022-02-18 22:00 – Updated: 2025-04-23 19:02
VLAI
Title
Use of Hard-coded Cryptographic Key in Netmaker
Summary
Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know the address and username of the admin. This effects the server (netmaker) component, and not clients. This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. There are currently no known workarounds.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
| https://github.com/gravitl/netmaker/pull/781/comm… | x_refsource_MISC |
| https://github.com/gravitl/netmaker/commit/3d4f44… | x_refsource_MISC |
| https://github.com/gravitl/netmaker/commit/e9bce2… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:44.211Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-86f3-hf24-76q4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/pull/781/commits/1bec97c662670dfdab804343fc42ae4b1d050a87"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/3d4f44ecfe8be4ca38920556ba3b90502ffb4fee"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/e9bce264719f88c30e252ecc754d08f422f4c080"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:55:56.957444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:02:25.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.5"
},
{
"status": "affected",
"version": "\u003e= 0.9.0, \u003c 0.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know the address and username of the admin. This effects the server (netmaker) component, and not clients. This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-18T22:00:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-86f3-hf24-76q4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/pull/781/commits/1bec97c662670dfdab804343fc42ae4b1d050a87"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/3d4f44ecfe8be4ca38920556ba3b90502ffb4fee"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/e9bce264719f88c30e252ecc754d08f422f4c080"
}
],
"source": {
"advisory": "GHSA-86f3-hf24-76q4",
"discovery": "UNKNOWN"
},
"title": "Use of Hard-coded Cryptographic Key in Netmaker",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23650",
"STATE": "PUBLIC",
"TITLE": "Use of Hard-coded Cryptographic Key in Netmaker"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "netmaker",
"version": {
"version_data": [
{
"version_value": "\u003c 0.8.5"
},
{
"version_value": "\u003e= 0.9.0, \u003c 0.9.4"
}
]
}
}
]
},
"vendor_name": "gravitl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know the address and username of the admin. This effects the server (netmaker) component, and not clients. This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-321: Use of Hard-coded Cryptographic Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-86f3-hf24-76q4",
"refsource": "CONFIRM",
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-86f3-hf24-76q4"
},
{
"name": "https://github.com/gravitl/netmaker/pull/781/commits/1bec97c662670dfdab804343fc42ae4b1d050a87",
"refsource": "MISC",
"url": "https://github.com/gravitl/netmaker/pull/781/commits/1bec97c662670dfdab804343fc42ae4b1d050a87"
},
{
"name": "https://github.com/gravitl/netmaker/commit/3d4f44ecfe8be4ca38920556ba3b90502ffb4fee",
"refsource": "MISC",
"url": "https://github.com/gravitl/netmaker/commit/3d4f44ecfe8be4ca38920556ba3b90502ffb4fee"
},
{
"name": "https://github.com/gravitl/netmaker/commit/e9bce264719f88c30e252ecc754d08f422f4c080",
"refsource": "MISC",
"url": "https://github.com/gravitl/netmaker/commit/e9bce264719f88c30e252ecc754d08f422f4c080"
}
]
},
"source": {
"advisory": "GHSA-86f3-hf24-76q4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23650",
"datePublished": "2022-02-18T22:00:12.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:02:25.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0664 (GCVE-0-2022-0664)
Vulnerability from nvd – Published: 2022-02-18 14:00 – Updated: 2024-08-02 23:32
VLAI
Title
Use of Hard-coded Cryptographic Key in gravitl/netmaker
Summary
Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1.
Severity
8.8 (High)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/29898a42-fd4f-4b5b-a8e… | x_refsource_CONFIRM |
| https://github.com/gravitl/netmaker/commit/9bee12… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gravitl | gravitl/netmaker |
Affected:
unspecified , < 0.8.5,0.9.4,0.10.0,0.10.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/29898a42-fd4f-4b5b-a8e3-ab573cb87eac"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/9bee12642986cb9534e268447b70e6f0f03c59cf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gravitl/netmaker",
"vendor": "gravitl",
"versions": [
{
"lessThan": "0.8.5,0.9.4,0.10.0,0.10.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-18T14:00:12.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/29898a42-fd4f-4b5b-a8e3-ab573cb87eac"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/9bee12642986cb9534e268447b70e6f0f03c59cf"
}
],
"source": {
"advisory": "29898a42-fd4f-4b5b-a8e3-ab573cb87eac",
"discovery": "EXTERNAL"
},
"title": "Use of Hard-coded Cryptographic Key in gravitl/netmaker",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0664",
"STATE": "PUBLIC",
"TITLE": "Use of Hard-coded Cryptographic Key in gravitl/netmaker"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gravitl/netmaker",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.8.5,0.9.4,0.10.0,0.10.1"
}
]
}
}
]
},
"vendor_name": "gravitl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-321 Use of Hard-coded Cryptographic Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/29898a42-fd4f-4b5b-a8e3-ab573cb87eac",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/29898a42-fd4f-4b5b-a8e3-ab573cb87eac"
},
{
"name": "https://github.com/gravitl/netmaker/commit/9bee12642986cb9534e268447b70e6f0f03c59cf",
"refsource": "MISC",
"url": "https://github.com/gravitl/netmaker/commit/9bee12642986cb9534e268447b70e6f0f03c59cf"
}
]
},
"source": {
"advisory": "29898a42-fd4f-4b5b-a8e3-ab573cb87eac",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0664",
"datePublished": "2022-02-18T14:00:13.000Z",
"dateReserved": "2022-02-17T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:32:46.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-38651 (GCVE-0-2026-38651)
Vulnerability from cvelistv5 – Published: 2026-04-28 00:00 – Updated: 2026-04-28 17:34
VLAI
Summary
Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information
Severity
8.2 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- n/a
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-38651",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-28T17:34:36.148138Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347 Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T17:34:42.863Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass/"
},
{
"tags": [
"exploit"
],
"url": "https://www.zyenra.com/blog/netmaker-jwt-verification-bypass"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T15:44:00.225Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79b"
},
{
"url": "https://www.zyenra.com/blog/netmaker-jwt-verification-bypass"
},
{
"url": "https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2026-38651",
"datePublished": "2026-04-28T00:00:00.000Z",
"dateReserved": "2026-04-06T00:00:00.000Z",
"dateUpdated": "2026-04-28T17:34:42.863Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29771 (GCVE-0-2026-29771)
Vulnerability from cvelistv5 – Published: 2026-03-07 15:14 – Updated: 2026-03-09 18:27
VLAI
Title
Netmaker: Denial of Service via Server Shutdown Endpoint
Summary
Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeatedly shut down the server, causing cyclic denial of service with approximately 3-second restart intervals. This issue has been patched in version 1.2.0.
Severity
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-404 - Improper Resource Shutdown or Release
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29771",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-09T17:43:39.289015Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T18:27:17.865Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 1.2.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeatedly shut down the server, causing cyclic denial of service with approximately 3-second restart intervals. This issue has been patched in version 1.2.0."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-404",
"description": "CWE-404: Improper Resource Shutdown or Release",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-07T15:14:38.361Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-rhr9-hgcm-x289",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-rhr9-hgcm-x289"
}
],
"source": {
"advisory": "GHSA-rhr9-hgcm-x289",
"discovery": "UNKNOWN"
},
"title": "Netmaker: Denial of Service via Server Shutdown Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-29771",
"datePublished": "2026-03-07T15:14:38.361Z",
"dateReserved": "2026-03-04T16:26:02.897Z",
"dateUpdated": "2026-03-09T18:27:17.865Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2023-32079 (GCVE-0-2023-32079)
Vulnerability from cvelistv5 – Published: 2023-08-24 22:03 – Updated: 2024-10-02 19:11
VLAI
Title
Netmaker Privilige Escalation Vulnerability
Summary
Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:29.193Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-826j-8wp2-4x6q",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-826j-8wp2-4x6q"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32079",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T19:11:14.591343Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T19:11:26.186Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.1"
},
{
"status": "affected",
"version": "\u003e= 0.18.0, \u003c 0.18.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-24T22:03:43.825Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-826j-8wp2-4x6q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-826j-8wp2-4x6q"
}
],
"source": {
"advisory": "GHSA-826j-8wp2-4x6q",
"discovery": "UNKNOWN"
},
"title": "Netmaker Privilige Escalation Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32079",
"datePublished": "2023-08-24T22:03:43.825Z",
"dateReserved": "2023-05-01T16:47:35.315Z",
"dateUpdated": "2024-10-02T19:11:26.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32078 (GCVE-0-2023-32078)
Vulnerability from cvelistv5 – Published: 2023-08-24 21:35 – Updated: 2024-10-02 19:12
VLAI
Title
Netmaker IDOR Vulnerability Allows User to Update Other User's Password
Summary
Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
| https://github.com/gravitl/netmaker/pull/2158 | x_refsource_MISC |
| https://github.com/gravitl/netmaker/commit/b3be57… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.754Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4"
},
{
"name": "https://github.com/gravitl/netmaker/pull/2158",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/pull/2158"
},
{
"name": "https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32078",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T19:12:21.892908Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T19:12:47.050Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.1"
},
{
"status": "affected",
"version": "\u003e= 0.18.0, \u003c 0.18.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user\u0027s username, it was possible to update the other user\u0027s password. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-24T22:02:05.475Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4"
},
{
"name": "https://github.com/gravitl/netmaker/pull/2158",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/pull/2158"
},
{
"name": "https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839"
}
],
"source": {
"advisory": "GHSA-256m-j5qw-38f4",
"discovery": "UNKNOWN"
},
"title": "Netmaker IDOR Vulnerability Allows User to Update Other User\u0027s Password"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32078",
"datePublished": "2023-08-24T21:35:05.611Z",
"dateReserved": "2023-05-01T16:47:35.315Z",
"dateUpdated": "2024-10-02T19:12:47.050Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-32077 (GCVE-0-2023-32077)
Vulnerability from cvelistv5 – Published: 2023-08-24 21:23 – Updated: 2024-10-02 19:14
VLAI
Title
Netmaker has Hardcoded DNS Secret Key
Summary
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
| https://github.com/gravitl/netmaker/pull/2170 | x_refsource_MISC |
| https://github.com/gravitl/netmaker/commit/1621c2… | x_refsource_MISC |
| https://github.com/gravitl/netmaker/commit/9362c3… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T15:03:28.931Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx"
},
{
"name": "https://github.com/gravitl/netmaker/pull/2170",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/pull/2170"
},
{
"name": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51"
},
{
"name": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-32077",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T19:14:09.737338Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T19:14:22.352Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.17.1"
},
{
"status": "affected",
"version": "\u003e= 0.18.0, \u003c 0.18.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-08-24T21:57:07.712Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx"
},
{
"name": "https://github.com/gravitl/netmaker/pull/2170",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/pull/2170"
},
{
"name": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51"
},
{
"name": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657"
}
],
"source": {
"advisory": "GHSA-8x8h-hcq8-jwwx",
"discovery": "UNKNOWN"
},
"title": "Netmaker has Hardcoded DNS Secret Key"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-32077",
"datePublished": "2023-08-24T21:23:14.294Z",
"dateReserved": "2023-05-01T16:47:35.315Z",
"dateUpdated": "2024-10-02T19:14:22.352Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-36110 (GCVE-0-2022-36110)
Vulnerability from cvelistv5 – Published: 2022-09-09 19:15 – Updated: 2025-04-23 17:12
VLAI
Title
Netmaker vulnerable to Insufficient Granularity of Access Control
Summary
Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
| https://github.com/gravitl/netmaker/releases/tag/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T09:52:00.453Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-36110",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:49:24.565249Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T17:12:19.594Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.15.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "CWE-1220: Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-09-09T19:15:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1"
}
],
"source": {
"advisory": "GHSA-ggf6-638m-vqmg",
"discovery": "UNKNOWN"
},
"title": "Netmaker vulnerable to Insufficient Granularity of Access Control",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-36110",
"STATE": "PUBLIC",
"TITLE": "Netmaker vulnerable to Insufficient Granularity of Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "netmaker",
"version": {
"version_data": [
{
"version_value": "\u003c 0.15.1"
}
]
}
}
]
},
"vendor_name": "gravitl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-1220: Insufficient Granularity of Access Control"
}
]
},
{
"description": [
{
"lang": "eng",
"value": "CWE-285: Improper Authorization"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg",
"refsource": "CONFIRM",
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg"
},
{
"name": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1",
"refsource": "MISC",
"url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1"
}
]
},
"source": {
"advisory": "GHSA-ggf6-638m-vqmg",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-36110",
"datePublished": "2022-09-09T19:15:12.000Z",
"dateReserved": "2022-07-15T00:00:00.000Z",
"dateUpdated": "2025-04-23T17:12:19.594Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-23650 (GCVE-0-2022-23650)
Vulnerability from cvelistv5 – Published: 2022-02-18 22:00 – Updated: 2025-04-23 19:02
VLAI
Title
Use of Hard-coded Cryptographic Key in Netmaker
Summary
Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know the address and username of the admin. This effects the server (netmaker) component, and not clients. This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. There are currently no known workarounds.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/gravitl/netmaker/security/advi… | x_refsource_CONFIRM |
| https://github.com/gravitl/netmaker/pull/781/comm… | x_refsource_MISC |
| https://github.com/gravitl/netmaker/commit/3d4f44… | x_refsource_MISC |
| https://github.com/gravitl/netmaker/commit/e9bce2… | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T03:51:44.211Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-86f3-hf24-76q4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/pull/781/commits/1bec97c662670dfdab804343fc42ae4b1d050a87"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/3d4f44ecfe8be4ca38920556ba3b90502ffb4fee"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/e9bce264719f88c30e252ecc754d08f422f4c080"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-23650",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-23T15:55:56.957444Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-23T19:02:25.121Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "netmaker",
"vendor": "gravitl",
"versions": [
{
"status": "affected",
"version": "\u003c 0.8.5"
},
{
"status": "affected",
"version": "\u003e= 0.9.0, \u003c 0.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know the address and username of the admin. This effects the server (netmaker) component, and not clients. This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. There are currently no known workarounds."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321: Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-18T22:00:12.000Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-86f3-hf24-76q4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/pull/781/commits/1bec97c662670dfdab804343fc42ae4b1d050a87"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/3d4f44ecfe8be4ca38920556ba3b90502ffb4fee"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/e9bce264719f88c30e252ecc754d08f422f4c080"
}
],
"source": {
"advisory": "GHSA-86f3-hf24-76q4",
"discovery": "UNKNOWN"
},
"title": "Use of Hard-coded Cryptographic Key in Netmaker",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-23650",
"STATE": "PUBLIC",
"TITLE": "Use of Hard-coded Cryptographic Key in Netmaker"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "netmaker",
"version": {
"version_data": [
{
"version_value": "\u003c 0.8.5"
},
{
"version_value": "\u003e= 0.9.0, \u003c 0.9.4"
}
]
}
}
]
},
"vendor_name": "gravitl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know the address and username of the admin. This effects the server (netmaker) component, and not clients. This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. There are currently no known workarounds."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-321: Use of Hard-coded Cryptographic Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-86f3-hf24-76q4",
"refsource": "CONFIRM",
"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-86f3-hf24-76q4"
},
{
"name": "https://github.com/gravitl/netmaker/pull/781/commits/1bec97c662670dfdab804343fc42ae4b1d050a87",
"refsource": "MISC",
"url": "https://github.com/gravitl/netmaker/pull/781/commits/1bec97c662670dfdab804343fc42ae4b1d050a87"
},
{
"name": "https://github.com/gravitl/netmaker/commit/3d4f44ecfe8be4ca38920556ba3b90502ffb4fee",
"refsource": "MISC",
"url": "https://github.com/gravitl/netmaker/commit/3d4f44ecfe8be4ca38920556ba3b90502ffb4fee"
},
{
"name": "https://github.com/gravitl/netmaker/commit/e9bce264719f88c30e252ecc754d08f422f4c080",
"refsource": "MISC",
"url": "https://github.com/gravitl/netmaker/commit/e9bce264719f88c30e252ecc754d08f422f4c080"
}
]
},
"source": {
"advisory": "GHSA-86f3-hf24-76q4",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2022-23650",
"datePublished": "2022-02-18T22:00:12.000Z",
"dateReserved": "2022-01-19T00:00:00.000Z",
"dateUpdated": "2025-04-23T19:02:25.121Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-0664 (GCVE-0-2022-0664)
Vulnerability from cvelistv5 – Published: 2022-02-18 14:00 – Updated: 2024-08-02 23:32
VLAI
Title
Use of Hard-coded Cryptographic Key in gravitl/netmaker
Summary
Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1.
Severity
8.8 (High)
CWE
- CWE-321 - Use of Hard-coded Cryptographic Key
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://huntr.dev/bounties/29898a42-fd4f-4b5b-a8e… | x_refsource_CONFIRM |
| https://github.com/gravitl/netmaker/commit/9bee12… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gravitl | gravitl/netmaker |
Affected:
unspecified , < 0.8.5,0.9.4,0.10.0,0.10.1
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:32:46.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://huntr.dev/bounties/29898a42-fd4f-4b5b-a8e3-ab573cb87eac"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/gravitl/netmaker/commit/9bee12642986cb9534e268447b70e6f0f03c59cf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "gravitl/netmaker",
"vendor": "gravitl",
"versions": [
{
"lessThan": "0.8.5,0.9.4,0.10.0,0.10.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "CWE-321 Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-02-18T14:00:12.000Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntrdev"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://huntr.dev/bounties/29898a42-fd4f-4b5b-a8e3-ab573cb87eac"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gravitl/netmaker/commit/9bee12642986cb9534e268447b70e6f0f03c59cf"
}
],
"source": {
"advisory": "29898a42-fd4f-4b5b-a8e3-ab573cb87eac",
"discovery": "EXTERNAL"
},
"title": "Use of Hard-coded Cryptographic Key in gravitl/netmaker",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@huntr.dev",
"ID": "CVE-2022-0664",
"STATE": "PUBLIC",
"TITLE": "Use of Hard-coded Cryptographic Key in gravitl/netmaker"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "gravitl/netmaker",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_value": "0.8.5,0.9.4,0.10.0,0.10.1"
}
]
}
}
]
},
"vendor_name": "gravitl"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Use of Hard-coded Cryptographic Key in Go github.com/gravitl/netmaker prior to 0.8.5,0.9.4,0.10.0,0.10.1."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-321 Use of Hard-coded Cryptographic Key"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://huntr.dev/bounties/29898a42-fd4f-4b5b-a8e3-ab573cb87eac",
"refsource": "CONFIRM",
"url": "https://huntr.dev/bounties/29898a42-fd4f-4b5b-a8e3-ab573cb87eac"
},
{
"name": "https://github.com/gravitl/netmaker/commit/9bee12642986cb9534e268447b70e6f0f03c59cf",
"refsource": "MISC",
"url": "https://github.com/gravitl/netmaker/commit/9bee12642986cb9534e268447b70e6f0f03c59cf"
}
]
},
"source": {
"advisory": "29898a42-fd4f-4b5b-a8e3-ab573cb87eac",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntrdev",
"cveId": "CVE-2022-0664",
"datePublished": "2022-02-18T14:00:13.000Z",
"dateReserved": "2022-02-17T00:00:00.000Z",
"dateUpdated": "2024-08-02T23:32:46.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}