Skip to content

Insufficient Granularity of Access Control in Netmaker

Moderate
afeiszli published GHSA-ggf6-638m-vqmg Sep 9, 2022

Package

gomod netmaker (Go)

Affected versions

< v0.15.1

Patched versions

0.15.1

Description

This vulnerability was brought to our attention by @tweidinger

Impact

Improper Authorization functions leads to non-privileged users running privileged API calls. If you have added users to your Netmaker platform who whould not have admin privileges, they could use their auth token to run admin-level functions via the API.

In addition, differing response codes based on function calls allowed non-users to potentially brute force the determination of names of networks on the system.

Patches

This problem has been patched in v0.15.1. To apply:

  1. docker-compose down
  2. docker pull gravitl/netmaker:v0.15.1
  3. docker-compose up -d

For more information

If you have any questions or comments about this advisory:

Email us at [email protected]

Severity

Moderate

CVE ID

CVE-2022-36110

Weaknesses