x/vulndb: potential Go vuln in github.com/dragonflyoss/Dragonfly2: CVE-2023-27584

[GoVulnBot]

Advisory CVE-2023-27584 references a vulnerability in the following Go modules:

Module
github.com/dragonflyoss/Dragonfly2

Description:
Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.

References:

• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2023-27584
• WEB: https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9
• WEB: GHSA-hpc8-7wpm-889w

No existing reports found with this module or alias.
See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/dragonflyoss/Dragonfly2
      vulnerable_at: 0.1.0-beta-3
summary: CVE-2023-27584 in github.com/dragonflyoss/Dragonfly2
cves:
    - CVE-2023-27584
references:
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2023-27584
    - web: https://github.com/dragonflyoss/Dragonfly2/releases/tag/v2.0.9
    - web: https://github.com/dragonflyoss/Dragonfly2/security/advisories/GHSA-hpc8-7wpm-889w
source:
    id: CVE-2023-27584
    created: 2024-09-20T00:01:21.88491278Z
review_status: UNREVIEWED

[zpavlinovic]

Duplicate of #3136