CVE-2023-27584 CRITICAL

CVE-2023-27584: Dragonfly2 vulnerable to hard coded cyptographic key

Vendor Dragonflyoss
Product Dragonfly2
Weakness CWE-321
Published September 19, 2024
Last update September 26, 2024

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

September 19, 2024 CVE published
September 26, 2024 Record updated