ghsa-826j-8wp2-4x6q
Vulnerability from github
Published
2023-08-25 18:42
Modified
2023-08-25 18:42
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Netmaker Vulnerable to Privilege Escalation From Non Admin To Admin User
Details

Impact

A Mass assignment vulnerability was found allowing a non-admin user to escalate privileges to admin user.

Patches

Issue is patched in 0.17.1, and fixed in 0.18.6+.

If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch them to the patched users

If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later.

Workarounds

If using 0.17.1, can just pull the latest docker image of backend and restart server.

References

Credit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gravitl/netmaker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gravitl/netmaker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.18.0"
            },
            {
              "fixed": "0.18.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32079"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-915"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-25T18:42:53Z",
    "nvd_published_at": "2023-08-24T23:15:08Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA Mass assignment vulnerability was found allowing a non-admin user to escalate privileges to admin user.\n\n### Patches\nIssue is patched in 0.17.1, and fixed in 0.18.6+.\n\nIf Users are using 0.17.1, they should run \"docker pull gravitl/netmaker:v0.17.1\" and \"docker-compose up -d\". This will switch them to the patched users\n\nIf users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later.\n\n### Workarounds\nIf using 0.17.1, can just pull the latest docker image of backend and restart server.\n\n### References\nCredit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery",
  "id": "GHSA-826j-8wp2-4x6q",
  "modified": "2023-08-25T18:42:53Z",
  "published": "2023-08-25T18:42:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-826j-8wp2-4x6q"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32079"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gravitl/netmaker"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Netmaker Vulnerable to Privilege Escalation From Non Admin To Admin User"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.