SB2023090530 - Multiple vulnerabilities in Netmaker
Published: September 5, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-32079)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to a mass assignment issue, which leads to security restrictions bypass and privilege escalation.
2) Use of hard-coded credentials (CVE-ID: CVE-2023-32077)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to presence of hard-coded credentials in application code. A remote unauthenticated attacker can interact with DNS API endpoints.
3) Authorization bypass through user-controlled key (CVE-ID: CVE-2023-32078)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the IDOR issue in the user update function. A remote attacker can update the other user's password.
Remediation
Install update from vendor's website.
References
- https://github.com/gravitl/netmaker/security/advisories/GHSA-826j-8wp2-4x6q
- https://github.com/gravitl/netmaker/pull/2170
- https://github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51
- https://github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657
- https://github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx
- https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4
- https://github.com/gravitl/netmaker/pull/2158
- https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839