Dragonfly Manager Job API Allows Unauthenticated Access
Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1.
References
- https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7 x_refsource_CONFIRM
- https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f x_refsource_MISC
- https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7 x_refsource_CONFIRM
- https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f x_refsource_MISC
- https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7 x_refsource_CONFIRM
- https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f x_refsource_MISC
Affected products
dragonfly
- ==< 2.4.1-rc.1
Matching in nixpkgs
pkgs.dragonflydb
Modern replacement for Redis and Memcached
pkgs.dragonfly-reverb
Hall-style reverb based on freeverb3 algorithms
pkgs.python312Packages.dragonfly
Speech recognition framework allowing powerful Python-based scripting
pkgs.python313Packages.dragonfly
Speech recognition framework allowing powerful Python-based scripting
Package maintainers
-
@magnetophon Bart Brouns <bart@magnetophon.nl>
-
@Yureien Soham Sen <contact@sohamsen.me>