Use of Hard-coded Cryptographic Key Affecting github.com/dragonflyoss/dragonfly2/manager/config package, versions <2.1.0-beta.1


Severity

Recommended
0.0
critical
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
4.78% (93rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMDRAGONFLYOSSDRAGONFLY2MANAGERCONFIG-8062318
  • published20 Sept 2024
  • disclosed19 Sept 2024
  • creditcokeBeer

Introduced: 19 Sep 2024

CVE-2023-27584  (opens in a new tab)
CWE-321  (opens in a new tab)

How to fix?

Upgrade github.com/dragonflyoss/Dragonfly2/manager/config to version 2.1.0-beta.1 or higher.

Overview

Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key in the JWT authentication middleware. An attacker can impersonate any user, including administrative accounts, by generating a valid JWT with the known secret key.

CVSS Scores

version 4.0
version 3.1