CVE-2022-36110

Netmaker vulnerable to Insufficient Granularity of Access Control

CVSS 8.8 HIGHEPSS 0.7%CWE-1220 CWE-285

In short

Netmaker allowed non-admin users to perform administrator-level actions through the API by using their authentication tokens. This means someone without admin permission could gain full control over the network configuration and other sensitive operations.

Technical detail

Netmaker prior to v0.15.1 suffers from improper authorization in API endpoints, allowing authenticated non-privileged users to execute administrator-level functions. The vulnerability stems from insufficient access control granularity (CWE-1220, CWE-285), where API authorization checks fail to properly verify user privileges before executing sensitive operations, resulting in privilege escalation.

Summary generated and translated by AI from the official description.

Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected products

gravitl · netmaker

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/gravitl/netmaker/releases/tag/v0.15.1 https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg