Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for dragonfly2 by dragonflyoss

    CVE-2023-27584 (GCVE-0-2023-27584)

    Vulnerability from nvd – Published: 2024-09-19 22:54 – Updated: 2024-09-26 03:55
    VLAI
    Title
    Dragonfly2 vulnerable to hard coded cyptographic key
    Summary
    Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    dragonflyoss Dragonfly2 Affected: < 2.0.9
    Create a notification for this product.
    dragonflyoss dragonfly2 Affected: 0 , < 2.0.9 (custom)
        cpe:2.3:a:dragonflyoss:dragonfly2:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:dragonflyoss:dragonfly2:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "dragonfly2",
                "vendor": "dragonflyoss",
                "versions": [
                  {
                    "lessThan": "2.0.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-27584",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-26T03:55:52.647Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Dragonfly2",
              "vendor": "dragonflyoss",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, \"Secret Key\", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321: Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-19T22:54:40.045Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w"
            },
            {
              "name": "https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9"
            }
          ],
          "source": {
            "advisory": "GHSA-hpc8-7wpm-889w",
            "discovery": "UNKNOWN"
          },
          "title": "Dragonfly2 vulnerable to hard coded cyptographic key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-27584",
        "datePublished": "2024-09-19T22:54:40.045Z",
        "dateReserved": "2023-03-04T01:03:53.634Z",
        "dateUpdated": "2024-09-26T03:55:52.647Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-27584 (GCVE-0-2023-27584)

    Vulnerability from cvelistv5 – Published: 2024-09-19 22:54 – Updated: 2024-09-26 03:55
    VLAI
    Title
    Dragonfly2 vulnerable to hard coded cyptographic key
    Summary
    Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-321 - Use of Hard-coded Cryptographic Key
    Assigner
    References
    Impacted products
    Vendor Product Version
    dragonflyoss Dragonfly2 Affected: < 2.0.9
    Create a notification for this product.
    dragonflyoss dragonfly2 Affected: 0 , < 2.0.9 (custom)
        cpe:2.3:a:dragonflyoss:dragonfly2:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:dragonflyoss:dragonfly2:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "dragonfly2",
                "vendor": "dragonflyoss",
                "versions": [
                  {
                    "lessThan": "2.0.9",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-27584",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-25T00:00:00+00:00",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-26T03:55:52.647Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Dragonfly2",
              "vendor": "dragonflyoss",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 2.0.9"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, \"Secret Key\", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 9.8,
                "baseSeverity": "CRITICAL",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-321",
                  "description": "CWE-321: Use of Hard-coded Cryptographic Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-09-19T22:54:40.045Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w"
            },
            {
              "name": "https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9"
            }
          ],
          "source": {
            "advisory": "GHSA-hpc8-7wpm-889w",
            "discovery": "UNKNOWN"
          },
          "title": "Dragonfly2 vulnerable to hard coded cyptographic key"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2023-27584",
        "datePublished": "2024-09-19T22:54:40.045Z",
        "dateReserved": "2023-03-04T01:03:53.634Z",
        "dateUpdated": "2024-09-26T03:55:52.647Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }