CVE-2023-27584
published 2024-09-19CVE-2023-27584: Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
33.62%
98.2th percentile
Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| d7y.io | dragonfly_v2 | >= 0 < 2.1.0-beta.1 | 2.1.0-beta.1 |
| d7y.io | dragonfly_v2 | >= 0 < 2.0.9-rc.2 | 2.0.9-rc.2 |
| d7y.io | dragonfly_v2 | >= 2.1.0-alpha.0 < 2.1.0-beta.1 | 2.1.0-beta.1 |
| dragonflyoss | dragonfly2 | < 2.0.9 | 2.0.9 |
| linuxfoundation | dragonfly | < 2.0.9 | 2.0.9 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring HTTP GET requests to /api/v1/users bearing a JWT cookie signed with HS256 and the hardcoded secret 'Secret Key'. A valid 200 JSON response containing fields id, created_at, updated_at, and state indicates successful authentication bypass. ↗
- →A successful exploit response will be HTTP 200 with Content-Type application/json and a body containing all four fields: '"id":', '"created_at":', '"updated_at":', '"state":' ↗
- →JWT payload used in exploitation carries admin user id=1 with a future expiry (orig_iat + 4000 seconds), signed HS256 with the literal string 'Secret Key'. Any JWT on /api/v1/users with this signing key should be treated as malicious. ↗
- ·The hardcoded JWT secret 'Secret Key' is present in Dragonfly2 versions prior to 2.1.0-beta.1 / 2.0.9. Upgrading to 2.0.9 or later replaces the hardcoded secret with a properly generated one, eliminating the vulnerability. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly
osv·2024-09-26
CVE-2023-27584 Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly
Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly
Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly
OSV
Dragonfly2 has hard coded cyptographic key
osv·2024-09-19
CVE-2023-27584 [CRITICAL] Dragonfly2 has hard coded cyptographic key
Dragonfly2 has hard coded cyptographic key
### Summary
Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature.
### Details
Dragonfly uses [JWT](https://github.com/dragonflyoss/Dragonfly2/blob/cddcac7e3bdb010811e2b62b3c71d9d5c6749011/manager/middlewares/jwt.go) to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass
```go
authMiddleware, err := jwt.New(&jwt.GinJWTMiddleware{
Realm: "Dragonfly",
Key: []byte("Secret Key"),
Timeout: 2 * 24 * time.Hour,
MaxRefresh: 2 * 24 * time.Hour,
IdentityKey: identityKey,
IdentityHandler: func(c *gin.Context) any {
claims := jwt.ExtractClaims(c)
id, ok := claims[identityKey]
if !ok {
c.JSON(http.StatusUnauthorized, gin.H{
"message": "Unavailable tok
GHSA
Dragonfly2 has hard coded cyptographic key
ghsa·2024-09-19
CVE-2023-27584 [CRITICAL] CWE-321 Dragonfly2 has hard coded cyptographic key
Dragonfly2 has hard coded cyptographic key
### Summary
Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature.
### Details
Dragonfly uses [JWT](https://github.com/dragonflyoss/Dragonfly2/blob/cddcac7e3bdb010811e2b62b3c71d9d5c6749011/manager/middlewares/jwt.go) to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass
```go
authMiddleware, err := jwt.New(&jwt.GinJWTMiddleware{
Realm: "Dragonfly",
Key: []byte("Secret Key"),
Timeout: 2 * 24 * time.Hour,
MaxRefresh: 2 * 24 * time.Hour,
IdentityKey: identityKey,
IdentityHandler: func(c *gin.Context) any {
claims := jwt.ExtractClaims(c)
id, ok := claims[identityKey]
if !ok {
c.JSON(http.StatusUnauthorized, gin.H{
"message": "Unavailable tok
No detection rules found.
Nuclei
Dragonfly2 < 2.1.0-beta.1 - Hardcoded JWT Secret
nuclei·CVSS 9.8
CVE-2023-27584 [CRITICAL] Dragonfly2 < 2.1.0-beta.1 - Hardcoded JWT Secret
Dragonfly2 < 2.1.0-beta.1 - Hardcoded JWT Secret
Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Template:
id: CVE-2023-27584
info:
name: Dragonfly2 < 2.1.0-beta.1 - Hardcoded JWT Secret
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
Dragonfly is an open source P2P-based file distribution
No writeups or analysis indexed.
2024-09-19
Published