CVE-2023-32077 (GCVE-0-2023-32077)
Vulnerability from cvelistv5
Published
2023-08-24 21:23
Modified
2024-10-02 19:14
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE
  • CWE-321 - Use of Hard-coded Cryptographic Key
Summary
Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server.
References
Impacted products
Vendor Product Version
gravitl netmaker Version: < 0.17.1
Version: >= 0.18.0, < 0.18.6
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T15:03:28.931Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx"
          },
          {
            "name": "https://github.com/gravitl/netmaker/pull/2170",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/gravitl/netmaker/pull/2170"
          },
          {
            "name": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51"
          },
          {
            "name": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-32077",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-02T19:14:09.737338Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-02T19:14:22.352Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "netmaker",
          "vendor": "gravitl",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.17.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 0.18.0, \u003c 0.18.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6.  If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-321",
              "description": "CWE-321: Use of Hard-coded Cryptographic Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-08-24T21:57:07.712Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx"
        },
        {
          "name": "https://github.com/gravitl/netmaker/pull/2170",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gravitl/netmaker/pull/2170"
        },
        {
          "name": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51"
        },
        {
          "name": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657"
        }
      ],
      "source": {
        "advisory": "GHSA-8x8h-hcq8-jwwx",
        "discovery": "UNKNOWN"
      },
      "title": "Netmaker has Hardcoded DNS Secret Key"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-32077",
    "datePublished": "2023-08-24T21:23:14.294Z",
    "dateReserved": "2023-05-01T16:47:35.315Z",
    "dateUpdated": "2024-10-02T19:14:22.352Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-32077\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-08-24T22:15:08.077\",\"lastModified\":\"2024-11-21T08:02:39.973\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6.  If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-321\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gravitl:netmaker:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.17.1\",\"matchCriteriaId\":\"D271FC17-56AA-4851-846B-D7D174EBFB45\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gravitl:netmaker:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"0.18.0\",\"versionEndIncluding\":\"0.18.5\",\"matchCriteriaId\":\"249015D8-1590-4B85-A3F7-6F5F360CF0AD\"}]}]}],\"references\":[{\"url\":\"https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gravitl/netmaker/pull/2170\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gravitl/netmaker/pull/2170\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx\", \"name\": \"https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/gravitl/netmaker/pull/2170\", \"name\": \"https://github.com/gravitl/netmaker/pull/2170\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51\", \"name\": \"https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657\", \"name\": \"https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T15:03:28.931Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-32077\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-02T19:14:09.737338Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-02T19:14:17.833Z\"}}], \"cna\": {\"title\": \"Netmaker has Hardcoded DNS Secret Key\", \"source\": {\"advisory\": \"GHSA-8x8h-hcq8-jwwx\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gravitl\", \"product\": \"netmaker\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 0.17.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 0.18.0, \u003c 0.18.6\"}]}], \"references\": [{\"url\": \"https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx\", \"name\": \"https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/gravitl/netmaker/pull/2170\", \"name\": \"https://github.com/gravitl/netmaker/pull/2170\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51\", \"name\": \"https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657\", \"name\": \"https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6.  If users are using 0.17.1, they should run `docker pull gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-321\", \"description\": \"CWE-321: Use of Hard-coded Cryptographic Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-08-24T21:57:07.712Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-32077\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-02T19:14:22.352Z\", \"dateReserved\": \"2023-05-01T16:47:35.315Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-08-24T21:23:14.294Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.