CVE-2023-32079

2023-08-2423:15:08

CWE-915

GitHub_M

web.nvd.nist.gov

netmaker

cve-2023-32079

wireguard

vulnerability

privilege escalation

docker

upgrade

patch

security fix

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.6

Confidence

High

EPSS

0.001

Percentile

38.7%

JSON

Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run docker pull gravitl/netmaker:v0.17.1 and docker-compose up -d. This will switch them to the patched users If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone using version 0.17.1 can pull the latest docker image of the backend and restart the server.

Affected configurations

Nvd

Vulners

Node

gravitlnetmakerRange<0.17.1

gravitlnetmakerRange0.18.0–0.18.5

VendorProductVersionCPE
gravitlnetmaker*cpe:2.3:a:gravitl:netmaker:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
gravitl	netmaker	*	cpe:2.3:a:gravitl:netmaker::::::::

CNA Affected

[
  {
    "vendor": "gravitl",
    "product": "netmaker",
    "versions": [
      {
        "version": "< 0.17.1",
        "status": "affected"
      },
      {
        "version": ">= 0.18.0, < 0.18.6",
        "status": "affected"
      }
    ]
  }
]