Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Metrics
Affected Vendors & Products
References
History
Fri, 20 Sep 2024 16:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Dragonflyoss
Dragonflyoss dragonfly2 |
|
CPEs | cpe:2.3:a:dragonflyoss:dragonfly2:*:*:*:*:*:*:*:* | |
Vendors & Products |
Dragonflyoss
Dragonflyoss dragonfly2 |
|
Metrics |
ssvc
|
Thu, 19 Sep 2024 23:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability. | |
Title | Dragonfly2 vulnerable to hard coded cyptographic key | |
Weaknesses | CWE-321 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-09-19T22:54:40.045Z
Updated: 2024-09-20T15:20:37.308Z
Reserved: 2023-03-04T01:03:53.634Z
Link: CVE-2023-27584
Vulnrichment
Updated: 2024-09-20T15:20:30.612Z
NVD
Status : Awaiting Analysis
Published: 2024-09-19T23:15:11.233
Modified: 2024-09-20T12:30:17.483
Link: CVE-2023-27584
Redhat
No data.