8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-32079

GHSA ID

GHSA-826j-8wp2-4x6q

EPSS Score

0.67083%

CWE

CWE-915

Published

8/25/2023

Updated

11/10/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-32079

CVE-2023-32079: Netmaker Vulnerable to Privilege Escalation From Non Admin To Admin User

Impact

A Mass assignment vulnerability was found allowing a non-admin user to escalate privileges to admin user.

Patches

Issue is patched in 0.17.1, and fixed in 0.18.6+.

If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch them to the patched users

If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later.

Workarounds

If using 0.17.1, can just pull the latest docker image of backend and restart server.

References

Credit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-32079

CVE-2023-32079:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-32079

GHSA ID

GHSA-826j-8wp2-4x6q

EPSS Score

0.67083%

CWE

CWE-915

Published

8/25/2023

Updated

11/10/2023

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/gravitl/netmaker	go	< 0.17.1	0.17.1
github.com/gravitl/netmaker	go	>= 0.18.0, < 0.18.6	0.18.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a mass assignment issue (CWE-915) allowing privilege escalation. In Go web applications, this typically occurs in user update/create handlers that bind request data directly to user models without field filtering. The high-confidence 'UpdateUser' function would be responsible for processing user profile updates, where a missing allowlist of editable fields could let attackers modify admin privileges. The medium-confidence 'CreateUser' is included as secondary vector, though the primary impact appears in update operations. Without commit diffs, this assessment is based on standard patterns for this CWE and the described privilege escalation impact.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-32079: Netmaker Vulnerable to Privilege Escalation From Non Admin To Admin User

Impact

Patches

Workarounds

References

CVE-2023-32079:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

8.8

8.8

CVE-2023-32079: Netmaker Vulnerable to Privilege Escalation From Non Admin To Admin User

Impact

Patches

Workarounds

References

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI