CVE-2022-36110 : Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Author

Netmaker makes networks with WireGuard. Prior to version 0.15.1, Improper Authorization functions lead to non-privileged users running privileged API calls. If someone adds users to the Netmaker platform who do not have admin privileges, they can use their auth tokens to run admin-level functions via the API. This problem has been patched in v0.15.1.

Published 2022-09-09 20:15:11

Updated 2023-06-27 20:52:27

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: BypassGain privilege

Products affected by CVE-2022-36110

Gravitl » Netmaker
Versions before (<) 0.15.1
cpe:2.3:a:gravitl:netmaker:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-36110

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 20 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-36110

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-36110

CWE-285 Improper Authorization

The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Assigned by: security-advisories@github.com (Secondary)
CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Assigned by: nvd@nist.gov (Primary)
CWE-1220 Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

Assigned by: security-advisories@github.com (Secondary)

References for CVE-2022-36110

https://github.com/gravitl/netmaker/releases/tag/v0.15.1

Release v0.15.1 · gravitl/netmaker · GitHub
Third Party Advisory
https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg

Insufficient Granularity of Access Control in Netmaker · Advisory · gravitl/netmaker · GitHub
Third Party Advisory

Jump to

Vulnerability Details : CVE-2022-36110

Products affected by CVE-2022-36110

Exploit prediction scoring system (EPSS) score for CVE-2022-36110

CVSS scores for CVE-2022-36110

CWE ids for CVE-2022-36110

References for CVE-2022-36110