CVE-2023-27584

Exploit

EPSS 64.64%
Veröffentlicht 19.09.2024 23:15:11
Zuletzt bearbeitet 20.12.2024 19:11:43
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Linuxfoundation ≫ Dragonfly SwPlatformgo Version < 2.0.9

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	64.64%	0.984

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-321 Use of Hard-coded Cryptographic Key

The use of a hard-coded cryptographic key significantly increases the possibility that encrypted data may be recovered.

CWE-798 Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9

Release Notes

https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2023-27584

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-27584

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-27584

EUVD