CVE-2022-36110 NetMaker makes networks with WireGuard. In earlier versions, improper authorization led to users running privileged API calls.

Prior to this version, if an auth token had expired or been revoked, the user would be unable to use the API and other user functions, such as adding or changing roles. This has been fixed in v0.15.1, so if an auth token is revoked or invalid, the user is notified that the token is invalid and cannot be used for API functions.

User data on the Netmaker platform can be vulnerable to hacks if not protected with strong security measures. This problem has been patched in v0.15.1. Previously, if an admin revoked a user's role, the user would still retain access to their profile data. This has been corrected in v0.15.1, so if a user's role is revoked, they are prevented from accessing their profile data and deleting their personal data.

Version 0.14.0

Version 0.14.0 includes a fix for an issue where the user would not be notified of their revoked auth token if they were granted access to their account via the admin console. However, if a user's role was revoked, they would still retain access to their profile data and be able to delete their personal data. This has been fixed in v0.15.1.

Prior to this version, if an auth token had expired or been revoked, the user would be unable to use the API and other user functions, such as adding or changing roles. This has been fixed in v0.15.1, so if an auth token is revoked or invalid, the user is notified that the token is invalid and cannot be used for API functions.

v0.15.1: User Data Protection Fixes

Many of the security vulnerabilities with Netmaker's platform were patched in this version. This includes the issue of revoked auth tokens not being a valid problem. In v0.15.1, an admin can revoke a user's role, and if they do they will be prevented from accessing their profile data or deleting their personal data.

Version 0.15.1 - Released April 16th, 2018

v0.15.1: Fixed Issues

Netmaker has updated their software to better protect user data in v0.15.1. This update includes patches for two security issues that are related to data protection and access keys.
The first patch is a fix for an issue where if an admin revoked a user's role, the user would still have access to their profile data and could delete it from their profile page. This has been corrected in v0.15.1, so if a user's role is revoked, they are prevented from accessing their profile data and deleting their personal data.

Timeline

Published on: 09/09/2022 20:15:00 UTC
Last modified on: 09/15/2022 03:31:00 UTC

References

• https://github.com/gravitl/netmaker/security/advisories/GHSA-ggf6-638m-vqmg
• https://github.com/gravitl/netmaker/releases/tag/v0.15.1
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-36110