GHSA-8x8h-hcq8-jwwx

Source

https://github.com/advisories/GHSA-8x8h-hcq8-jwwx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-8x8h-hcq8-jwwx/GHSA-8x8h-hcq8-jwwx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-8x8h-hcq8-jwwx

Aliases

Published

2023-08-25T18:38:18Z

Modified

2024-08-21T14:41:40.215492Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Netmaker has Hardcoded DNS Secret Key

Details

Impact

Hardcoded DNS key usage has been found in Netmaker allowing unauth users to interact with DNS API endpoints.

Patches

Issue is patched in 0.17.1, and fixed in 0.18.6+.

If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch them to the patched users

If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later.

Workarounds

If using 0.17.1, can just pull the latest docker image of backend and restart server.

References

Credit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery

Database specific

{
    "nvd_published_at": "2023-08-24T22:15:08Z",
    "severity": "HIGH",
    "github_reviewed_at": "2023-08-25T18:38:18Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-321",
        "CWE-798"
    ]
}

References

Affected packages

Go / github.com/gravitl/netmaker

Package

Name: github.com/gravitl/netmaker; View open source insights on deps.dev
Purl: pkg:golang/github.com/gravitl/netmaker

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.17.1