x/vulndb: potential Go vuln in d7y.io/dragonfly/v2: GHSA-hpc8-7wpm-889w

[GoVulnBot]

Advisory GHSA-hpc8-7wpm-889w references a vulnerability in the following Go modules:

Module
d7y.io/dragonfly/v2

Description:

Summary

Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature.

Details

Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass

authMiddleware, err := jwt.New(&jwt.GinJWTMiddleware{
		Realm:       "Dragonfly",
		Key:         []byte("Secret Key"),
		Timeout:     2 * 24 * time.Hour,
		MaxRefresh:  2 * 24 * time.Hour,
		IdentityKey: identity...

References:
- ADVISORY: https://github.com/advisories/GHSA-hpc8-7wpm-889w
- ADVISORY: https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w
- FIX: https://github.com/dragonflyoss/Dragonfly2/commit/e9da69dc4048bf2a18a671be94616d85e3429433

No existing reports found with this module or alias.
See [doc/quickstart.md](https://github.com/golang/vulndb/blob/master/doc/quickstart.md) for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
- module: d7y.io/dragonfly/v2
versions:
- fixed: 2.1.0-beta.1
vulnerable_at: 2.1.0-beta.0
summary: Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly
cves:
- CVE-2023-27584
ghsas:
- GHSA-hpc8-7wpm-889w
references:
- advisory: GHSA-hpc8-7wpm-889w
- advisory: GHSA-hpc8-7wpm-889w
- fix: dragonflyoss/dragonfly@e9da69d
source:
id: GHSA-hpc8-7wpm-889w
created: 2024-09-19T15:01:27.077702284Z
review_status: UNREVIEWED

[gopherbot]

Change https://go.dev/cl/616059 mentions this issue: data/reports: add 13 unreviewed reports

[gopherbot]

Change https://go.dev/cl/616060 mentions this issue: data/reports: add 11 unreviewed reports