Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running…
GitHub_M·CWE-1220·Published 2022-09-09
Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1.
Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1.
Netmaker vulnerable to Insufficient Granularity of Access Control in github.com/gravitl/netmaker
### Impact Improper Authorization functions leads to non-privileged users running privileged API calls. If you have added users to your Netmaker platform who whould not have admin privileges, they could use their auth token to run admin-level functions via the API. In addition, differing response codes based on function calls allowed non-users to potentially brute force the determination of names of networks on the system. ### Patches This problem has been patched in v0.15.1. To apply: 1. docker-compose down 2. docker pull gravitl/netmaker:v0.15.1 3. docker-compose up -d ### For more information If you have any questions or comments about this advisory: Email us at [info@netmaker.io](mailto:info@netmaker.io) This vulnerability was brought to our attention by @tweidinger
Netmaker hace redes con WireGuard. En versiones anteriores a 0.15.1, unas funciones de Autorización Inapropiada conllevan e que usuarios no privilegiados ejecutaran llamadas a la API privilegiadas. Si alguien añade usuarios a la plataforma Netmaker que no presentan privilegios de administrador, pueden usar sus auth tokens para ejecutar funciones de nivel de administrador por medio de la API. Este problema ha sido corregido en versión 0.15.1
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 3.1 | Primary | cve.org | 8.8 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | NVD | 8.8 | 2.8 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Primary | cve.org | 8.8 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Secondary | GHSA | 8.8 | — | — | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Secondary | NVD | 8.8 | 2.8 | 5.9 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |