Description
CVE-2023-32078 references github.com/gravitl/netmaker, which may be a Go module.
Description:
Netmaker makes networks with WireGuard. An Insecure Direct Object Reference (IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the user update function. By specifying another user's username, it was possible to update the other user's password. The issue is patched in 0.17.1 and fixed in 0.18.6. If Users are using 0.17.1, they should run docker pull gravitl/netmaker:v0.17.1 and docker-compose up -d. This will switch them to the patched users. If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull the latest docker image of the backend and restart the server.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-32078
- JSON: https://github.com/CVEProject/cvelist/tree/87e3e597042195e0e4642cfb23d26ddf77a1c0a8/2023/32xxx/CVE-2023-32078.json
- advisory: GHSA-256m-j5qw-38f4
- fix: add checks to user update processing gravitl/netmaker#2158
- fix: gravitl/netmaker@b3be57c
- Imported by: https://pkg.go.dev/github.com/gravitl/netmaker?tab=importedby
Cross references:
- Module github.com/gravitl/netmaker appears in issue x/vulndb: potential Go vuln in github.com/gravitl/netmaker: CVE-2022-23650 #328 EFFECTIVELY_PRIVATE
- Module github.com/gravitl/netmaker appears in issue x/vulndb: potential Go vuln in github.com/gravitl/netmaker: GHSA-6rrw-4fm9-rghv #561 EFFECTIVELY_PRIVATE
- Module github.com/gravitl/netmaker appears in issue x/vulndb: potential Go vuln in github.com/gravitl/netmaker: CVE-2022-36110 #986 NOT_IMPORTABLE
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/gravitl/netmaker
vulnerable_at: 0.20.6
packages:
- package: netmaker
description: |-
Netmaker makes networks with WireGuard. An Insecure Direct Object Reference
(IDOR) vulnerability was found in versions prior to 0.17.1 and 0.18.6 in the
user update function. By specifying another user's username, it was possible to
update the other user's password. The issue is patched in 0.17.1 and fixed in
0.18.6. If Users are using 0.17.1, they should run `docker pull
gravitl/netmaker:v0.17.1` and `docker-compose up -d`. This will switch them to
the patched users. If users are using v0.18.0-0.18.5, they should upgrade to
v0.18.6 or later. As a workaround, someone who is using version 0.17.1 can pull
the latest docker image of the backend and restart the server.
cves:
- CVE-2023-32078
references:
- advisory: https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4
- fix: https://github.com/gravitl/netmaker/pull/2158
- fix: https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839