CVE-2022-4968 : netplan leaks the private key of wireguard to local users. Versions after 1.0 ar

netplan leaks the private key of wireguard to local users. Versions after 1.0 are not affected.

Published 2024-06-07 00:14:23

Updated 2024-10-30 13:56:33

Source Canonical Ltd.

View at NVD, CVE.org

Products affected by CVE-2022-4968

Canonical » Netplan
Versions up to, including, (<=) 1.0
cpe:2.3:a:canonical:netplan:*:*:*:*:*:*:*:*
Matching versions
Canonical » Netplan
Versions before (<) 1.0.1
cpe:2.3:a:canonical:netplan:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.06%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 16 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	N/A	N/A	Canonical Ltd.	2024-06-07
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None
6.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	2.0	4.0	NIST	2024-10-30
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None
6.5	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N	2.0	4.0	Canonical Ltd.	2024-06-07
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: None Availability: None

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Assigned by:
- cc1ad9ee-3454-478d-9317-d3e869d708bc (Primary)
- security@ubuntu.com (Secondary)
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.

Assigned by: security@ubuntu.com (Secondary)

https://bugs.launchpad.net/netplan/+bug/1987842

Bug #1987842 “wireguard: netdev file can leak private key” : Bugs : Netplan
Issue Tracking;Vendor Advisory
https://bugs.launchpad.net/ubuntu/+source/netplan.io/+bug/2065738

Bug #2065738 “Leaks wireguard keys” : Bugs : netplan.io package : Ubuntu
Exploit;Issue Tracking;Vendor Advisory
https://www.cve.org/CVERecord?id=CVE-2022-4968

CVE Record | CVE
US Government Resource
https://github.com/canonical/netplan/commit/4c39b75b5c6ae7d976bda6da68da60d9a7f085ee

libnetplan: use more restrictive file permissions · canonical/netplan@4c39b75 · GitHub
Patch

Jump to