Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14cjhjLW1xNXgtNWY1Ns4AA25D
Dromara Lamp-Cloud Use of Hard-coded Cryptographic Key
Dromara Lamp-Cloud before v3.8.1 was discovered to use a hardcoded cryptographic key when creating and verifying a Json Web Token. This vulnerability allows attackers to authenticate to the application via a crafted JWT token.
Permalink: https://github.com/advisories/GHSA-xr8c-mq5x-5f56JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cjhjLW1xNXgtNWY1Ns4AA25D
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Percentage: 0.00139
EPSS Percentile: 0.50521
Identifiers: GHSA-xr8c-mq5x-5f56, CVE-2023-31579
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-31579
- https://github.com/dromara/lamp-cloud/issues/183
- https://github.com/xubowenW/JWTissues/blob/main/lamp%20issue.md
- https://github.com/dromara/lamp-cloud/commit/31f79b122d85ed1b4f354673212692aa8205437a
- https://github.com/advisories/GHSA-xr8c-mq5x-5f56
Blast Radius: 9.2
Affected Packages
maven:top.tangyh.basic:lamp-util
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 3.8.1
Fixed in: 3.8.1
All affected versions: 3.4.0, 3.5.0, 3.5.1, 3.5.3, 3.5.7, 3.5.8, 3.6.0, 3.6.2, 3.7.0
All unaffected versions: 3.8.1, 3.8.2, 3.9.0, 3.10.0
maven:top.tangyh.basic:lamp-core
Dependent packages: 15Dependent repositories: 17
Downloads:
Affected Version Ranges: < 3.8.1
Fixed in: 3.8.1
All affected versions: 3.4.0, 3.5.0, 3.5.1, 3.5.3, 3.5.5, 3.5.7, 3.5.8, 3.6.0, 3.6.2, 3.7.0
All unaffected versions: 3.8.1, 3.8.2, 3.9.0, 3.10.0