PT-2022-16161 · Netmaker · Netmaker
Afeiszli
·
Published
2022-02-18
·
Updated
2026-05-18
·
CVE-2022-23650
CVSS v2.0
9.0
High
| Vector | AV:N/AC:L/Au:S/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Netmaker versions prior to 0.8.5
Netmaker versions prior to 0.9.4
Netmaker versions prior to 0.10.0
Description
The issue is related to a hard-coded cryptographic key in the code base of Netmaker, a platform for creating and managing virtual overlay networks using WireGuard. This key can be exploited to run admin commands on a remote server if the address and username of the admin are known. The server component of Netmaker is affected, but not the clients.
Recommendations
To resolve the issue for versions prior to 0.8.5, upgrade to Netmaker version 0.8.5 or later by performing the following steps:
- docker-compose down
- docker pull gravitl/netmaker:(version)
- docker-compose up -d To resolve the issue for versions prior to 0.9.4, upgrade to Netmaker version 0.9.4 or later by performing the same steps as above. To resolve the issue for versions prior to 0.10.0, upgrade to Netmaker version 0.10.0 or later by performing the same steps as above. If running any other version, upgrade to one of the patched versions (0.8.5, 0.9.4, or 0.10.0).
Exploit
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Netmaker