Use of Hard-coded Cryptographic Key in Netmaker
Summary
| CVE | CVE-2022-23650 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-02-18 22:15:13 UTC |
| Updated | 2026-05-18 16:44:17 UTC |
| Description | Netmaker is a platform for creating and managing virtual overlay networks using WireGuard. Prior to versions 0.8.5, 0.9.4, and 010.0, there is a hard-coded cryptographic key in the code base which can be exploited to run admin commands on a remote server if the exploiter know the address and username of the admin. This effects the server (netmaker) component, and not clients. This has been patched in Netmaker v0.8.5, v0.9.4, and v0.10.0. There are currently no known workarounds. |
Risk And Classification
Primary CVSS: v3.1 8.8 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Problem Types: CWE-321 | CWE-798 | CWE-321 CWE-321: Use of Hard-coded Cryptographic Key
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Primary | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | [email protected] | Secondary | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | CNA | DECLARED | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| 2.0 | [email protected] | Primary | 9 | AV:N/AC:L/Au:S/C:C/I:C/A:C |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
HighAvailability
HighCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
SingleConfidentiality
CompleteIntegrity
CompleteAvailability
CompleteAV:N/AC:L/Au:S/C:C/I:C/A:C
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Use of Hard-coded Cryptographic Key · Advisory · gravitl/netmaker · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Third Party Advisory |
| Merge pull request #770 from gravitl/hotfix_v0.10.0_jwt_data · gravitl/netmaker@3d4f44e · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Patch, Third Party Advisory |
| Merge pull request #777 from gravitl/hotfix_v0.9.4 · gravitl/netmaker@e9bce26 · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Patch, Third Party Advisory |
| hotfix v0.8.5 by 0xdcarns · Pull Request #781 · gravitl/netmaker · GitHub | af854a3a-2127-422b-91ae-364da2661108 | github.com | Patch, Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.