GitHub Advisory DatabaseGHSA-8X8H-HCQ8-JWWXNetmaker has Hardcoded DNS Secret Key
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
95.7%
Impact
Hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints.
Patches
Issue is patched in 0.17.1, and fixed in 0.18.6+.
If Users are using 0.17.1, they should run “docker pull gravitl/netmaker:v0.17.1” and “docker-compose up -d”. This will switch them to the patched users
If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later.
Workarounds
If using 0.17.1, can just pull the latest docker image of backend and restart server.
References
Credit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery
Affected configurations
References
github.com/advisories/GHSA-8x8h-hcq8-jwwx
github.com/gravitl/netmaker/commit/1621c27c1d176b639e9768b2acad7693e387fd51
github.com/gravitl/netmaker/commit/9362c39a9a822f0e07361aa7c77af2610597e657
github.com/gravitl/netmaker/pull/2170
github.com/gravitl/netmaker/security/advisories/GHSA-8x8h-hcq8-jwwx
nvd.nist.gov/vuln/detail/CVE-2023-32077
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
95.7%