CVE-2023-27584— Dragonfly2 vulnerable to hard coded cyptographic key
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-27584
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Dragonfly2 vulnerable to hard coded cyptographic key
Source: NVD (National Vulnerability Database)
Vulnerability Description
Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用硬编码的密码学密钥
Source: NVD (National Vulnerability Database)
Vulnerability Title
Dragonfly 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Dragonfly是一个框架,可以对任何内容类型进行动态处理。 Dragonfly 2.0.9版本之前存在安全漏洞,该漏洞源于Dragonfly使用硬编码JWT来验证用户,可能导致身份验证绕过。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| dragonflyoss | Dragonfly2 | < 2.0.9 | - |
II. Public POCs for CVE-2023-27584
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation (CNCF) as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass. An attacker can perform any action as a user with admin privileges. This issue has been addressed in release version 2.0.9. All users are advised to upgrade. There are no known workarounds for this vulnerability. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-27584.yaml | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-27584
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: dragonflyoss
- CVE-2026-24124
Dragonfly Manager Job API Allows Unauthenticated Access - CVE-2025-59410
Dragonfly tiny file download uses hard coded HTTP protocol - CVE-2025-59354
Dragonfly has weak integrity checks for downloaded files - CVE-2025-59353
Manager generates mTLS certificates for arbitrary IP address - CVE-2025-59352
Dragonfly allows arbitrary file read and write on a peer mac
Same weakness: CWE-321
- CVE-2026-8243
Industrial Application Software IAS Canias ERP JNLP Deployme - CVE-2026-6787
Usage of a hard-coded cryptographic key in WatchGuard Agent - CVE-2026-42518
Information Disclosure Vulnerability in e-Sushrut HMIS - CVE-2026-7306
Xuxueli xxl-job OpenAPI Endpoint OpenApiController.java hard - CVE-2026-32644
Milesight Cameras Use of Hard-coded Cryptographic Key
V. Comments for CVE-2023-27584
No comments yet