GHSA-8425-8R2F-MRV6 Dragonfly's directories created via os.MkdirAll are not checked for permissions

Impact DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 wi...

Dragonfly's directories created via os.MkdirAll are not checked for permissions

Impact DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 wi...

Dragonfly vulnerable to server-side request forgery

There are multiple server-side request forgery SSRF vulnerabilities in the DragonFly2 system. The vulnerabilities enable users to force DragonFly2’s components to make requests to internal services, which otherwise are not accessible to the users. One SSRF attack vector is exposed by the Manager’...

Dragonfly's directories created via os.MkdirAll are not checked for permissions

DragonFly2 uses the os.MkdirAll function to create certain directory paths with specific access permissions. This function does not perform any permission checks when a given directory path already exists. This allows a local attacker to create a directory to be used later by DragonFly2 with broa...

DragonFly has weak integrity checks for downloaded files

The DragonFly2 uses a variety of hash functions, including the MD5 hash. This algorithm does not provide collision resistance; it is secure only against preimage attacks. While these security guarantees may be enough for the DragonFly2 system, it is not completely clear if there are any scenarios...

GO-2024-3136 Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly

Dragonfly2 has hard coded cyptographic key in d7y.io/dragonfly...

CVE-2023-27584 Dragonfly2 vulnerable to hard coded cyptographic key

Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation CNCF as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to...

CVE-2023-27584 Dragonfly2 vulnerable to hard coded cyptographic key

Dragonfly is an open source P2P-based file distribution and image acceleration system. It is hosted by the Cloud Native Computing Foundation CNCF as an Incubating Level Project. Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to...

Dragonfly2 has hard coded cyptographic key

Summary Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature. Details Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass go authMiddleware, err :=...

GHSA-HPC8-7WPM-889W Dragonfly2 has hard coded cyptographic key

Summary Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature. Details Dragonfly uses JWT to verify user. However, the secret key for JWT, "Secret Key", is hard coded, which leads to authentication bypass go authMiddleware, err :=...

Dragonfly2 has hard coded cyptographic key

Hello dragonfly maintainer team, I would like to report a security issue concerning your JWT feature...