CVE-2022-23650: Use of Hard-coded Cryptographic Key in Netmaker
7.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.67381%
CWE
Published
2/22/2022
Updated
2/3/2023
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
github.com/gravitl/netmaker | go | < 0.8.5 | 0.8.5 |
github.com/gravitl/netmaker | go | >= 0.9.0, < 0.9.4 | 0.9.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the global variable jwtSecretKey
in logic/jwts.go
being initialized with a static value (BytesOverTheWire)
. Both CreateJWT
and CreateUserJWT
functions used this hard-coded key to sign JWTs. The patch replaced the hard-coded value with a dynamically generated secret (via SetJWTSecret
), confirming these functions were vulnerable due to their dependency on the static key. The functions' direct use of jwtSecretKey
for cryptographic operations aligns with CWE-321 and CWE-798.