You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature.
Details
Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass
authMiddleware, err:= jwt.New(&jwt.GinJWTMiddleware{
Realm: "Dragonfly",
Key: []byte("Secret Key"),
Timeout: 2*24*time.Hour,
MaxRefresh: 2*24*time.Hour,
IdentityKey: identity...References:
-ADVISORY: https://github.com/advisories/GHSA-hpc8-7wpm-889w-ADVISORY: https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w-FIX: https://github.com/dragonflyoss/Dragonfly2/commit/e9da69dc4048bf2a18a671be94616d85e3429433Noexistingreportsfoundwiththismoduleoralias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.
Advisory GHSA-hpc8-7wpm-889w references a vulnerability in the following Go modules:
Description:
Summary
Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature.
Details
Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass
id: GO-ID-PENDING
modules:
- module: d7y.io/dragonfly/v2
versions:
- fixed: 2.1.0-beta.1
vulnerable_at: 2.1.0-beta.0
summary: Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly
cves:
- CVE-2023-27584
ghsas:
- GHSA-hpc8-7wpm-889w
references:
- advisory: GHSA-hpc8-7wpm-889w
- advisory: GHSA-hpc8-7wpm-889w
- fix: dragonflyoss/Dragonfly2@e9da69d
source:
id: GHSA-hpc8-7wpm-889w
created: 2024-09-19T15:01:27.077702284Z
review_status: UNREVIEWED
The text was updated successfully, but these errors were encountered: