7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23650

GHSA ID

GHSA-86f3-hf24-76q4

EPSS Score

0.67381%

CWE

CWE-321

Published

2/22/2022

Updated

2/3/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-23650

CVE-2022-23650: Use of Hard-coded Cryptographic Key in Netmaker

Impact

There is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server, if you know the address and username of the admin. This effects the server (netmaker) component, and not clients.

Patches

This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. If you are running these versions, the fix is to perform the following:

docker-compose down
docker pull gravitl/netmaker:( version )
docker-compose up -d

Additional Information

If you are running any other version, you will need to upgrade to one of these three versions. If you have a special circumstance that requires running a different version, let us know and we may be able to build a custom patch.

For more information

If you have any questions or comments about this advisory:

Email us at info@gravitl.com

(GitHub Advisory)

7.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-23650

GHSA ID

GHSA-86f3-hf24-76q4

EPSS Score

0.67381%

CWE

CWE-321

Published

2/22/2022

Updated

2/3/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/gravitl/netmaker	go	< 0.8.5	0.8.5
github.com/gravitl/netmaker	go	>= 0.9.0, < 0.9.4	0.9.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the global variable jwtSecretKey in logic/jwts.go being initialized with a static value (BytesOverTheWire). Both CreateJWT and CreateUserJWT functions used this hard-coded key to sign JWTs. The patch replaced the hard-coded value with a dynamically generated secret (via SetJWTSecret), confirming these functions were vulnerable due to their dependency on the static key. The functions' direct use of jwtSecretKey for cryptographic operations aligns with CWE-321 and CWE-798.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T**r* is * **r*-*o*** *rypto*r*p*i* k*y in t** *o** **s* w*i** **n ** *xploit** to run **min *omm*n*s on * r*mot* s*rv*r, i* you know t** ***r*ss *n* us*rn*m* o* t** **min. T*is *****ts t** s*rv*r (n*tm*k*r) *ompon*nt, *n* not *li*nts. ##

Reasoning

T** vuln*r**ility st*ms *rom t** *lo**l v*ri**l* `jwtS**r*tK*y` in `lo*i*/jwts.*o` **in* initi*liz** wit* * st*ti* v*lu* `(*yt*sOv*rT**Wir*)`. *ot* `*r**t*JWT` *n* `*r**t*Us*rJWT` *un*tions us** t*is **r*-*o*** k*y to si*n JWTs. T** p*t** r*pl**** t*

7.2

Basic Information

Concerned about an active attack path?

CVE-2022-23650: Use of Hard-coded Cryptographic Key in Netmaker

Impact

Patches

Additional Information

For more information

7.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI