Dragonfly <=2.0.9 JWT Secret Hardcoded Enables Auth Bypass
CVE-2023-27584 Published on September 19, 2024
Dragonfly2 vulnerable to hard coded cyptographic key
Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Vulnerability Analysis
CVE-2023-27584 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to be critical as this vulnerability has a high impact to the confidentiality, integrity and availability of this component.
Weakness Type
Use of Hard-coded Cryptographic Key
The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.
Products Associated with CVE-2023-27584
stack.watch emails you whenever new vulnerabilities are published in D7y Dragonfly or Linux Foundation Dragonfly. Just hit a watch button to start following.
Affected Versions
dragonflyoss Dragonfly2:- Version < 2.0.9 is affected.
- Before 2.0.9 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.