cbcvebase.
CVE-2023-27584
published 2024-09-19

CVE-2023-27584: Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.62%
98.2th percentile
Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected

5 ranges
VendorProductVersion rangeFixed in
d7y.iodragonfly_v2>= 0 < 2.1.0-beta.12.1.0-beta.1
d7y.iodragonfly_v2>= 0 < 2.0.9-rc.22.0.9-rc.2
d7y.iodragonfly_v2>= 2.1.0-alpha.0 < 2.1.0-beta.12.1.0-beta.1
dragonflyossdragonfly2< 2.0.92.0.9
linuxfoundationdragonfly< 2.0.92.0.9

Detection & IOCsextracted from sources · hover to see the quote

otherSecret Key
url/api/v1/users
cookiejwt={{generate_jwt(payload,"HS256","Secret Key")}}
  • Detect exploitation attempts by monitoring HTTP GET requests to /api/v1/users bearing a JWT cookie signed with HS256 and the hardcoded secret 'Secret Key'. A valid 200 JSON response containing fields id, created_at, updated_at, and state indicates successful authentication bypass.
  • A successful exploit response will be HTTP 200 with Content-Type application/json and a body containing all four fields: '"id":', '"created_at":', '"updated_at":', '"state":'
  • JWT payload used in exploitation carries admin user id=1 with a future expiry (orig_iat + 4000 seconds), signed HS256 with the literal string 'Secret Key'. Any JWT on /api/v1/users with this signing key should be treated as malicious.
  • ·The hardcoded JWT secret 'Secret Key' is present in Dragonfly2 versions prior to 2.1.0-beta.1 / 2.0.9. Upgrading to 2.0.9 or later replaces the hardcoded secret with a properly generated one, eliminating the vulnerability.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.