Netmaker Vulnerable to Privilege Escalation From Non Admin To Admin User

Impact A Mass assignment vulnerability was found allowing a non-admin user to escalate privileges to admin user. Patches Issue is patched in 0.17.1, and fixed in 0.18.6+. If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch...

Netmaker IDOR Allows User to Update Other User's Password

Impact An IDOR vulnerability was found in the user update function. By specifying another user's username it is possible to update the other user's password. Patches Issue is patched in 0.17.1, and fixed in 0.18.6+. If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1"...

GHSA-8X8H-HCQ8-JWWX Netmaker has Hardcoded DNS Secret Key

Impact Hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. Patches Issue is patched in 0.17.1, and fixed in 0.18.6+. If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will...

Netmaker has Hardcoded DNS Secret Key

Impact Hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. Patches Issue is patched in 0.17.1, and fixed in 0.18.6+. If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will...

CVE-2023-32079

Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run...

Design/Logic Flaw

Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run...

CVE-2023-32078

Netmaker makes networks with WireGuard. An Insecure Direct Object Reference IDOR vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 a...

Default credentials

Netmaker makes networks with WireGuard. An Insecure Direct Object Reference IDOR vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 a...

CVE-2023-32079

Netmaker (Gravitl) is affected by a Mass assignment privilege escalation vulnerability that lets a non-admin become admin. Affected versions are prior to 0.17.1 and 0.18.6. Mitigation: upgrade to 0.17.1 (patched) or 0.18.6+ (fixed). If on 0.17.1, run docker pull gravitl/netmaker:v0.17.1 and resta...

CVE-2023-32079 Netmaker Privilige Escalation Vulnerability

Netmaker makes networks with WireGuard. A Mass assignment vulnerability was found in versions prior to 0.17.1 and 0.18.6 that allows a non-admin user to escalate privileges to those of an admin user. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run...

CVE-2023-32078

CVE-2023-32078 : In Gravitl Netmaker (WireGuard-based networks), an insecure direct object reference (IDOR) vulnerability exists in the user update function that lets an attacker change another user’s password by providing a different username. Affected versions: before 0.17.1 and before 0.18.6. ...

CVE-2023-32078 Netmaker IDOR Vulnerability Allows User to Update Other User's Password

Netmaker makes networks with WireGuard. An Insecure Direct Object Reference IDOR vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 a...

CVE-2023-32078 Netmaker IDOR Vulnerability Allows User to Update Other User's Password

Netmaker makes networks with WireGuard. An Insecure Direct Object Reference IDOR vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 a...

CVE-2023-32077 Netmaker has Hardcoded DNS Secret Key

Netmaker makes networks with WireGuard. Prior to versions 0.17.1 and 0.18.6, hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints. The issue is patched in 0.17.1 and fixed in 0.18.6. If users are using 0.17.1, they should run docker pull...

Docker and Kubernetes, we have got you covered: Wiz simplifies compliance and security posture management for Docker and Kubernetes environments.

Ensure that your Docker and Kubernetes environments are secure and compliant with CIS benchmarks. Generate reports quickly and easily and remediate any issues with actionable insights...

H2 Web Interface Create Alias RCE

The H2 database contains an alias function which allows for arbitrary Java code to be used. This functionality can be abused to create an exec functionality to pull our payload down and execute it. H2's web interface contains restricts MANY characters, so injecting a payload directly is not...

GHSA-V9RW-HJR3-426H Jenkins Docker Swarm Plugin stored cross-site scripting vulnerability

Jenkins Docker Swarm Plugin processes Docker responses to generate the Docker Swarm Dashboard view. Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view. This results in a stored cross-site scripting XSS...

CVE-2023-40350

Jenkins Docker Swarm Plugin 1.11 and earlier does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to control responses from Docker...

CVE-2023-40350

Summary : CVE-2023-40350 affects Jenkins Docker Swarm Plugin ≤ 1.11. The vulnerability arises because the plugin does not escape values returned from Docker before inserting them into the Docker Swarm Dashboard view, enabling stored XSS when attackers can influence Docker responses. Public adviso...

SUSE SLES12 Security Update : docker (SUSE-SU-2023:3307-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3307-1 advisory. - Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, an...