CVE-2022-36110

Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/gravitl/netmaker/releases/tag/v0.15.1	Third Party Advisory
https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:gravitl:netmaker:*:*:*:*:*:*:*:*

History

27 Jun 2023, 20:52

Type	Values Removed	Values Added
CWE	~~CWE-863~~	NVD-CWE-Other

15 Sep 2022, 03:31

Type	Values Removed	Values Added
CWE	CWE-285 CWE-1220	CWE-863
First Time		Gravitl Gravitl netmaker
References	~~(CONFIRM) https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg -~~	(CONFIRM) https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg - Third Party Advisory
References	~~(MISC) https://github.com/gravitl/netmaker/releases/tag/v0.15.1 -~~	(MISC) https://github.com/gravitl/netmaker/releases/tag/v0.15.1 - Third Party Advisory
CPE		cpe:2.3:a:gravitl:netmaker::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8

09 Sep 2022, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-09 20:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-36110

Mitre link : CVE-2022-36110

CVE.ORG link : CVE-2022-36110

JSON object : View

Products Affected

gravitl

netmaker

CWE

NVD-CWE-Other CWE-1220

Insufficient Granularity of Access Control

CWE-285

Improper Authorization

{"id": "CVE-2022-36110", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2022-09-09T20:15:11.263", "references": [{"url": "https://github.com/gravitl/netmaker/releases/tag/v0.15.1", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-1220"}, {"lang": "en", "value": "CWE-285"}]}], "descriptions": [{"lang": "en", "value": "Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1."}, {"lang": "es", "value": "Netmaker hace redes con WireGuard. En versiones anteriores a 0.15.1, unas funciones de Autorizaci\u00f3n Inapropiada conllevan e que usuarios no privilegiados ejecutaran llamadas a la API privilegiadas. Si alguien a\u00f1ade usuarios a la plataforma Netmaker que no presentan privilegios de administrador, pueden usar sus auth tokens para ejecutar funciones de nivel de administrador por medio de la API. Este problema ha sido corregido en versi\u00f3n 0.15.1"}], "lastModified": "2023-06-27T20:52:26.647", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gravitl:netmaker:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6BA18ABF-4A20-4132-B8F7-B36F0088A65C", "versionEndExcluding": "0.15.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}